From a9ea2dd103e71a39e5562710351e3a6b96875c70 Mon Sep 17 00:00:00 2001 From: juanvallejo Date: Wed, 15 Nov 2017 18:37:39 -0500 Subject: [PATCH] remove pkg/cmd/server/admin/overwrite_bootstrappolicy.go and pkg/cmd/server/admin/legacyetcd --- .../legacyetcd/clusterpolicy/etcd/etcd.go | 37 -- .../legacyetcd/clusterpolicy/registry.go | 163 -------- .../legacyetcd/clusterpolicy/strategy.go | 62 --- .../clusterpolicybinding/etcd/etcd.go | 37 -- .../clusterpolicybinding/registry.go | 163 -------- .../clusterpolicybinding/strategy.go | 78 ---- .../legacyetcd/clusterrole/proxy/proxy.go | 124 ------ .../admin/legacyetcd/clusterrole/registry.go | 21 - .../clusterrolebinding/proxy/proxy.go | 116 ------ .../legacyetcd/clusterrolebinding/registry.go | 21 - .../admin/legacyetcd/policy/etcd/etcd.go | 37 -- .../admin/legacyetcd/policy/registry.go | 119 ------ .../admin/legacyetcd/policy/strategy.go | 63 --- .../legacyetcd/policybinding/etcd/etcd.go | 51 --- .../legacyetcd/policybinding/registry.go | 119 ------ .../legacyetcd/policybinding/strategy.go | 90 ---- .../role/policybased/virtual_storage.go | 302 -------------- .../role/policybased/virtual_storage_test.go | 286 ------------- .../server/admin/legacyetcd/role/registry.go | 21 - .../server/admin/legacyetcd/role/strategy.go | 94 ----- .../policybased/virtual_storage.go | 354 ---------------- .../policybased/virtual_storage_test.go | 383 ------------------ .../admin/legacyetcd/rolebinding/registry.go | 21 - .../admin/legacyetcd/rolebinding/strategy.go | 94 ----- .../admin/legacyetcd/test/clusterpolicy.go | 173 -------- .../legacyetcd/test/clusterpolicybinding.go | 170 -------- .../server/admin/legacyetcd/test/policy.go | 185 --------- .../admin/legacyetcd/test/policybinding.go | 186 --------- .../server/admin/overwrite_bootstrappolicy.go | 333 --------------- pkg/oc/admin/admin.go | 3 +- test/cmd/admin.sh | 4 - 31 files changed, 1 insertion(+), 3909 deletions(-) delete mode 100644 pkg/cmd/server/admin/legacyetcd/clusterpolicy/etcd/etcd.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/clusterpolicy/registry.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/clusterpolicy/strategy.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/etcd/etcd.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/registry.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/strategy.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/clusterrole/proxy/proxy.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/clusterrole/registry.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/clusterrolebinding/proxy/proxy.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/clusterrolebinding/registry.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/policy/etcd/etcd.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/policy/registry.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/policy/strategy.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/policybinding/etcd/etcd.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/policybinding/registry.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/policybinding/strategy.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/role/policybased/virtual_storage.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/role/policybased/virtual_storage_test.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/role/registry.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/role/strategy.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/rolebinding/policybased/virtual_storage.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/rolebinding/policybased/virtual_storage_test.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/rolebinding/registry.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/rolebinding/strategy.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/test/clusterpolicy.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/test/clusterpolicybinding.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/test/policy.go delete mode 100644 pkg/cmd/server/admin/legacyetcd/test/policybinding.go delete mode 100644 pkg/cmd/server/admin/overwrite_bootstrappolicy.go diff --git a/pkg/cmd/server/admin/legacyetcd/clusterpolicy/etcd/etcd.go b/pkg/cmd/server/admin/legacyetcd/clusterpolicy/etcd/etcd.go deleted file mode 100644 index 4a41a5e32abe..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/clusterpolicy/etcd/etcd.go +++ /dev/null @@ -1,37 +0,0 @@ -package etcd - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apiserver/pkg/registry/generic" - "k8s.io/apiserver/pkg/registry/generic/registry" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterpolicy" - "github.com/openshift/origin/pkg/util/restoptions" -) - -type REST struct { - *registry.Store -} - -// NewREST returns a RESTStorage object that will work against ClusterPolicy. -func NewREST(optsGetter restoptions.Getter) (*REST, error) { - store := ®istry.Store{ - Copier: kapi.Scheme, - NewFunc: func() runtime.Object { return &authorizationapi.ClusterPolicy{} }, - NewListFunc: func() runtime.Object { return &authorizationapi.ClusterPolicyList{} }, - DefaultQualifiedResource: authorizationapi.Resource("clusterpolicies"), - - CreateStrategy: clusterpolicy.Strategy, - UpdateStrategy: clusterpolicy.Strategy, - DeleteStrategy: clusterpolicy.Strategy, - } - - options := &generic.StoreOptions{RESTOptions: optsGetter} - if err := store.CompleteWithOptions(options); err != nil { - return nil, err - } - - return &REST{store}, nil -} diff --git a/pkg/cmd/server/admin/legacyetcd/clusterpolicy/registry.go b/pkg/cmd/server/admin/legacyetcd/clusterpolicy/registry.go deleted file mode 100644 index 45e33e7306a4..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/clusterpolicy/registry.go +++ /dev/null @@ -1,163 +0,0 @@ -package clusterpolicy - -import ( - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/watch" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policy" -) - -// Registry is an interface for things that know how to store ClusterPolicies. -type Registry interface { - // ListClusterPolicies obtains list of policies that match a selector. - ListClusterPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.ClusterPolicyList, error) - // GetClusterPolicy retrieves a specific policy. - GetClusterPolicy(ctx apirequest.Context, id string, options *metav1.GetOptions) (*authorizationapi.ClusterPolicy, error) - // CreateClusterPolicy creates a new policy. - CreateClusterPolicy(ctx apirequest.Context, policy *authorizationapi.ClusterPolicy) error - // UpdateClusterPolicy updates a policy. - UpdateClusterPolicy(ctx apirequest.Context, policy *authorizationapi.ClusterPolicy) error - // DeleteClusterPolicy deletes a policy. - DeleteClusterPolicy(ctx apirequest.Context, id string) error -} - -type WatchingRegistry interface { - Registry - // WatchClusterPolicies watches policies. - WatchClusterPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) -} - -type ReadOnlyClusterPolicyInterface interface { - List(options metainternal.ListOptions) (*authorizationapi.ClusterPolicyList, error) - Get(name string) (*authorizationapi.ClusterPolicy, error) -} - -// Storage is an interface for a standard REST Storage backend -type Storage interface { - rest.StandardStorage -} - -// storage puts strong typing around storage calls -type storage struct { - Storage -} - -// NewRegistry returns a new Registry interface for the given Storage. Any mismatched -// types will panic. -func NewRegistry(s Storage) WatchingRegistry { - return &storage{s} -} - -func (s *storage) ListClusterPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.ClusterPolicyList, error) { - obj, err := s.List(ctx, options) - if err != nil { - return nil, err - } - - return obj.(*authorizationapi.ClusterPolicyList), nil -} - -func (s *storage) CreateClusterPolicy(ctx apirequest.Context, policy *authorizationapi.ClusterPolicy) error { - _, err := s.Create(ctx, policy, false) - return err -} - -func (s *storage) UpdateClusterPolicy(ctx apirequest.Context, policy *authorizationapi.ClusterPolicy) error { - _, _, err := s.Update(ctx, policy.Name, rest.DefaultUpdatedObjectInfo(policy, kapi.Scheme)) - return err -} - -func (s *storage) WatchClusterPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) { - return s.Watch(ctx, options) -} - -func (s *storage) GetClusterPolicy(ctx apirequest.Context, name string, options *metav1.GetOptions) (*authorizationapi.ClusterPolicy, error) { - obj, err := s.Get(ctx, name, options) - if err != nil { - return nil, err - } - return obj.(*authorizationapi.ClusterPolicy), nil -} - -func (s *storage) DeleteClusterPolicy(ctx apirequest.Context, name string) error { - _, _, err := s.Delete(ctx, name, nil) - return err -} - -type simulatedStorage struct { - clusterRegistry Registry -} - -func NewSimulatedRegistry(clusterRegistry Registry) policy.Registry { - return &simulatedStorage{clusterRegistry} -} - -func (s *simulatedStorage) ListPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.PolicyList, error) { - ret, err := s.clusterRegistry.ListClusterPolicies(ctx, options) - if err != nil { - return nil, err - } - return authorizationapi.ToPolicyList(ret), err -} - -func (s *simulatedStorage) CreatePolicy(ctx apirequest.Context, policy *authorizationapi.Policy) error { - return s.clusterRegistry.CreateClusterPolicy(ctx, authorizationapi.ToClusterPolicy(policy)) -} - -func (s *simulatedStorage) UpdatePolicy(ctx apirequest.Context, policy *authorizationapi.Policy) error { - return s.clusterRegistry.UpdateClusterPolicy(ctx, authorizationapi.ToClusterPolicy(policy)) -} - -func (s *simulatedStorage) GetPolicy(ctx apirequest.Context, name string, options *metav1.GetOptions) (*authorizationapi.Policy, error) { - ret, err := s.clusterRegistry.GetClusterPolicy(ctx, name, options) - if err != nil { - return nil, err - } - return authorizationapi.ToPolicy(ret), err -} - -func (s *simulatedStorage) DeletePolicy(ctx apirequest.Context, name string) error { - return s.clusterRegistry.DeleteClusterPolicy(ctx, name) -} - -type ReadOnlyClusterPolicy struct { - Registry Registry -} - -func (s ReadOnlyClusterPolicy) List(options metav1.ListOptions) (*authorizationapi.ClusterPolicyList, error) { - optint := metainternal.ListOptions{} - if err := metainternal.Convert_v1_ListOptions_To_internalversion_ListOptions(&options, &optint, nil); err != nil { - return nil, err - } - return s.Registry.ListClusterPolicies(apirequest.WithNamespace(apirequest.NewContext(), ""), &optint) -} - -func (s ReadOnlyClusterPolicy) Get(name string, options *metav1.GetOptions) (*authorizationapi.ClusterPolicy, error) { - return s.Registry.GetClusterPolicy(apirequest.WithNamespace(apirequest.NewContext(), ""), name, options) -} - -type ReadOnlyClusterPolicyClientShim struct { - ReadOnlyClusterPolicy ReadOnlyClusterPolicy -} - -func (r *ReadOnlyClusterPolicyClientShim) List(label labels.Selector) ([]*authorizationapi.ClusterPolicy, error) { - list, err := r.ReadOnlyClusterPolicy.List(metav1.ListOptions{LabelSelector: label.String()}) - if err != nil { - return nil, err - } - var items []*authorizationapi.ClusterPolicy - for i := range list.Items { - items = append(items, &list.Items[i]) - } - return items, nil -} - -func (r *ReadOnlyClusterPolicyClientShim) Get(name string) (*authorizationapi.ClusterPolicy, error) { - return r.ReadOnlyClusterPolicy.Get(name, &metav1.GetOptions{}) -} diff --git a/pkg/cmd/server/admin/legacyetcd/clusterpolicy/strategy.go b/pkg/cmd/server/admin/legacyetcd/clusterpolicy/strategy.go deleted file mode 100644 index edb26416ffec..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/clusterpolicy/strategy.go +++ /dev/null @@ -1,62 +0,0 @@ -package clusterpolicy - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/validation/field" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/authorization/apis/authorization/validation" -) - -// strategy implements behavior for nodes -type strategy struct { - runtime.ObjectTyper -} - -// Strategy is the default logic that applies when creating and updating ClusterPolicy objects. -var Strategy = strategy{kapi.Scheme} - -func (strategy) NamespaceScoped() bool { - return false -} - -// AllowCreateOnUpdate is false for policies. -func (strategy) AllowCreateOnUpdate() bool { - return false -} - -func (strategy) AllowUnconditionalUpdate() bool { - return false -} - -func (strategy) GenerateName(base string) string { - return base -} - -// PrepareForCreate clears fields that are not allowed to be set by end users on creation. -func (strategy) PrepareForCreate(ctx apirequest.Context, obj runtime.Object) { - policy := obj.(*authorizationapi.ClusterPolicy) - - policy.Name = authorizationapi.PolicyName -} - -// PrepareForUpdate clears fields that are not allowed to be set by end users on update. -func (strategy) PrepareForUpdate(ctx apirequest.Context, obj, old runtime.Object) { - _ = obj.(*authorizationapi.ClusterPolicy) -} - -// Canonicalize normalizes the object after validation. -func (strategy) Canonicalize(obj runtime.Object) { -} - -// Validate validates a new policy. -func (strategy) Validate(ctx apirequest.Context, obj runtime.Object) field.ErrorList { - return validation.ValidateClusterPolicy(obj.(*authorizationapi.ClusterPolicy)) -} - -// ValidateUpdate is the default update validation for an end user. -func (strategy) ValidateUpdate(ctx apirequest.Context, obj, old runtime.Object) field.ErrorList { - return validation.ValidateClusterPolicyUpdate(obj.(*authorizationapi.ClusterPolicy), old.(*authorizationapi.ClusterPolicy)) -} diff --git a/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/etcd/etcd.go b/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/etcd/etcd.go deleted file mode 100644 index 6bd8e9ce2a1c..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/etcd/etcd.go +++ /dev/null @@ -1,37 +0,0 @@ -package etcd - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apiserver/pkg/registry/generic" - "k8s.io/apiserver/pkg/registry/generic/registry" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding" - "github.com/openshift/origin/pkg/util/restoptions" -) - -type REST struct { - *registry.Store -} - -// NewREST returns a RESTStorage object that will work against ClusterPolicyBinding. -func NewREST(optsGetter restoptions.Getter) (*REST, error) { - store := ®istry.Store{ - Copier: kapi.Scheme, - NewFunc: func() runtime.Object { return &authorizationapi.ClusterPolicyBinding{} }, - NewListFunc: func() runtime.Object { return &authorizationapi.ClusterPolicyBindingList{} }, - DefaultQualifiedResource: authorizationapi.Resource("clusterpolicybindings"), - - CreateStrategy: clusterpolicybinding.Strategy, - UpdateStrategy: clusterpolicybinding.Strategy, - DeleteStrategy: clusterpolicybinding.Strategy, - } - - options := &generic.StoreOptions{RESTOptions: optsGetter} - if err := store.CompleteWithOptions(options); err != nil { - return nil, err - } - - return &REST{store}, nil -} diff --git a/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/registry.go b/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/registry.go deleted file mode 100644 index 78ab942f9706..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/registry.go +++ /dev/null @@ -1,163 +0,0 @@ -package clusterpolicybinding - -import ( - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/watch" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policybinding" -) - -// Registry is an interface for things that know how to store ClusterPolicyBindings. -type Registry interface { - // ListClusterPolicyBindings obtains list of policyBindings that match a selector. - ListClusterPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.ClusterPolicyBindingList, error) - // GetClusterPolicyBinding retrieves a specific policyBinding. - GetClusterPolicyBinding(ctx apirequest.Context, name string, options *metav1.GetOptions) (*authorizationapi.ClusterPolicyBinding, error) - // CreateClusterPolicyBinding creates a new policyBinding. - CreateClusterPolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.ClusterPolicyBinding) error - // UpdateClusterPolicyBinding updates a policyBinding. - UpdateClusterPolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.ClusterPolicyBinding) error - // DeleteClusterPolicyBinding deletes a policyBinding. - DeleteClusterPolicyBinding(ctx apirequest.Context, name string) error -} - -type WatchingRegistry interface { - Registry - // WatchClusterPolicyBindings watches policyBindings. - WatchClusterPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) -} - -type ReadOnlyClusterPolicyInterface interface { - List(options metainternal.ListOptions) (*authorizationapi.ClusterPolicyBindingList, error) - Get(name string) (*authorizationapi.ClusterPolicyBinding, error) -} - -// Storage is an interface for a standard REST Storage backend -type Storage interface { - rest.StandardStorage -} - -// storage puts strong typing around storage calls -type storage struct { - Storage -} - -// NewRegistry returns a new Registry interface for the given Storage. Any mismatched -// types will panic. -func NewRegistry(s Storage) WatchingRegistry { - return &storage{s} -} - -func (s *storage) ListClusterPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.ClusterPolicyBindingList, error) { - obj, err := s.List(ctx, options) - if err != nil { - return nil, err - } - - return obj.(*authorizationapi.ClusterPolicyBindingList), nil -} - -func (s *storage) CreateClusterPolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.ClusterPolicyBinding) error { - _, err := s.Create(ctx, policyBinding, false) - return err -} - -func (s *storage) UpdateClusterPolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.ClusterPolicyBinding) error { - _, _, err := s.Update(ctx, policyBinding.Name, rest.DefaultUpdatedObjectInfo(policyBinding, kapi.Scheme)) - return err -} - -func (s *storage) WatchClusterPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) { - return s.Watch(ctx, options) -} - -func (s *storage) GetClusterPolicyBinding(ctx apirequest.Context, name string, options *metav1.GetOptions) (*authorizationapi.ClusterPolicyBinding, error) { - obj, err := s.Get(ctx, name, options) - if err != nil { - return nil, err - } - return obj.(*authorizationapi.ClusterPolicyBinding), nil -} - -func (s *storage) DeleteClusterPolicyBinding(ctx apirequest.Context, name string) error { - _, _, err := s.Delete(ctx, name, nil) - return err -} - -type simulatedStorage struct { - clusterRegistry Registry -} - -func NewSimulatedRegistry(clusterRegistry Registry) policybinding.Registry { - return &simulatedStorage{clusterRegistry} -} - -func (s *simulatedStorage) ListPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.PolicyBindingList, error) { - ret, err := s.clusterRegistry.ListClusterPolicyBindings(ctx, options) - if err != nil { - return nil, err - } - return authorizationapi.ToPolicyBindingList(ret), err -} - -func (s *simulatedStorage) CreatePolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.PolicyBinding) error { - return s.clusterRegistry.CreateClusterPolicyBinding(ctx, authorizationapi.ToClusterPolicyBinding(policyBinding)) -} - -func (s *simulatedStorage) UpdatePolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.PolicyBinding) error { - return s.clusterRegistry.UpdateClusterPolicyBinding(ctx, authorizationapi.ToClusterPolicyBinding(policyBinding)) -} - -func (s *simulatedStorage) GetPolicyBinding(ctx apirequest.Context, name string, options *metav1.GetOptions) (*authorizationapi.PolicyBinding, error) { - ret, err := s.clusterRegistry.GetClusterPolicyBinding(ctx, name, options) - if err != nil { - return nil, err - } - return authorizationapi.ToPolicyBinding(ret), err -} - -func (s *simulatedStorage) DeletePolicyBinding(ctx apirequest.Context, name string) error { - return s.clusterRegistry.DeleteClusterPolicyBinding(ctx, name) -} - -type ReadOnlyClusterPolicyBinding struct { - Registry Registry -} - -func (s ReadOnlyClusterPolicyBinding) List(options metav1.ListOptions) (*authorizationapi.ClusterPolicyBindingList, error) { - optint := metainternal.ListOptions{} - if err := metainternal.Convert_v1_ListOptions_To_internalversion_ListOptions(&options, &optint, nil); err != nil { - return nil, err - } - return s.Registry.ListClusterPolicyBindings(apirequest.WithNamespace(apirequest.NewContext(), ""), &optint) -} - -func (s ReadOnlyClusterPolicyBinding) Get(name string, options *metav1.GetOptions) (*authorizationapi.ClusterPolicyBinding, error) { - return s.Registry.GetClusterPolicyBinding(apirequest.WithNamespace(apirequest.NewContext(), ""), name, options) -} - -type ReadOnlyClusterPolicyBindingClientShim struct { - ReadOnlyClusterPolicyBinding ReadOnlyClusterPolicyBinding -} - -func (r *ReadOnlyClusterPolicyBindingClientShim) List(label labels.Selector) ([]*authorizationapi.ClusterPolicyBinding, error) { - list, err := r.ReadOnlyClusterPolicyBinding.List(metav1.ListOptions{LabelSelector: label.String()}) - if err != nil { - return nil, err - } - var items []*authorizationapi.ClusterPolicyBinding - for i := range list.Items { - items = append(items, &list.Items[i]) - } - return items, nil -} - -func (r *ReadOnlyClusterPolicyBindingClientShim) Get(name string) (*authorizationapi.ClusterPolicyBinding, error) { - return r.ReadOnlyClusterPolicyBinding.Get(name, &metav1.GetOptions{}) -} diff --git a/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/strategy.go b/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/strategy.go deleted file mode 100644 index ea3856d26e85..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/strategy.go +++ /dev/null @@ -1,78 +0,0 @@ -package clusterpolicybinding - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/validation/field" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/authorization/apis/authorization/validation" -) - -// strategy implements behavior for nodes -type strategy struct { - runtime.ObjectTyper -} - -// Strategy is the default logic that applies when creating and updating ClusterPolicyBinding objects. -var Strategy = strategy{kapi.Scheme} - -func (strategy) NamespaceScoped() bool { - return false -} - -// AllowCreateOnUpdate is false for policybindings. -func (strategy) AllowCreateOnUpdate() bool { - return false -} - -func (strategy) AllowUnconditionalUpdate() bool { - return false -} - -func (strategy) GenerateName(base string) string { - return base -} - -// PrepareForCreate clears fields that are not allowed to be set by end users on creation. -func (s strategy) PrepareForCreate(ctx apirequest.Context, obj runtime.Object) { - binding := obj.(*authorizationapi.ClusterPolicyBinding) - - s.scrubBindingRefs(binding) - // force a delimited name, just in case we someday allow a reference to a global object that won't have a namespace. We'll end up with a name like ":default". - // ":" is not in the value space of namespaces, so no escaping is necessary - binding.Name = authorizationapi.GetPolicyBindingName(binding.PolicyRef.Namespace) -} - -// scrubBindingRefs discards pieces of the object references that we don't respect to avoid confusion. -func (s strategy) scrubBindingRefs(binding *authorizationapi.ClusterPolicyBinding) { - binding.PolicyRef = kapi.ObjectReference{Namespace: binding.PolicyRef.Namespace, Name: authorizationapi.PolicyName} - binding.PolicyRef.Namespace = "" - - for roleBindingKey, roleBinding := range binding.RoleBindings { - roleBinding.RoleRef = kapi.ObjectReference{Namespace: binding.PolicyRef.Namespace, Name: roleBinding.RoleRef.Name} - binding.RoleBindings[roleBindingKey] = roleBinding - } -} - -// PrepareForUpdate clears fields that are not allowed to be set by end users on update. -func (s strategy) PrepareForUpdate(ctx apirequest.Context, obj, old runtime.Object) { - binding := obj.(*authorizationapi.ClusterPolicyBinding) - - s.scrubBindingRefs(binding) -} - -// Canonicalize normalizes the object after validation. -func (strategy) Canonicalize(obj runtime.Object) { -} - -// Validate validates a new policyBinding. -func (strategy) Validate(ctx apirequest.Context, obj runtime.Object) field.ErrorList { - return validation.ValidateClusterPolicyBinding(obj.(*authorizationapi.ClusterPolicyBinding)) -} - -// ValidateUpdate is the default update validation for an end user. -func (strategy) ValidateUpdate(ctx apirequest.Context, obj, old runtime.Object) field.ErrorList { - return validation.ValidateClusterPolicyBindingUpdate(obj.(*authorizationapi.ClusterPolicyBinding), old.(*authorizationapi.ClusterPolicyBinding)) -} diff --git a/pkg/cmd/server/admin/legacyetcd/clusterrole/proxy/proxy.go b/pkg/cmd/server/admin/legacyetcd/clusterrole/proxy/proxy.go deleted file mode 100644 index 7e26d490d3b1..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/clusterrole/proxy/proxy.go +++ /dev/null @@ -1,124 +0,0 @@ -package proxy - -import ( - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/authorization/rulevalidation" - clusterpolicyregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterpolicy" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterrole" - roleregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/role" - rolestorage "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/role/policybased" -) - -type ClusterRoleStorage struct { - roleStorage rolestorage.VirtualStorage -} - -func NewClusterRoleStorage(clusterPolicyRegistry clusterpolicyregistry.Registry, liveRuleResolver, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) clusterrole.Storage { - return &ClusterRoleStorage{ - roleStorage: rolestorage.VirtualStorage{ - PolicyStorage: clusterpolicyregistry.NewSimulatedRegistry(clusterPolicyRegistry), - - RuleResolver: liveRuleResolver, - CachedRuleResolver: cachedRuleResolver, - - CreateStrategy: roleregistry.ClusterStrategy, - UpdateStrategy: roleregistry.ClusterStrategy, - Resource: authorizationapi.Resource("clusterrole"), - }, - } -} - -func (s *ClusterRoleStorage) New() runtime.Object { - return &authorizationapi.ClusterRole{} -} -func (s *ClusterRoleStorage) NewList() runtime.Object { - return &authorizationapi.ClusterRoleList{} -} - -func (s *ClusterRoleStorage) List(ctx apirequest.Context, options *metainternal.ListOptions) (runtime.Object, error) { - ret, err := s.roleStorage.List(ctx, options) - if ret == nil { - return nil, err - } - return authorizationapi.ToClusterRoleList(ret.(*authorizationapi.RoleList)), err -} - -func (s *ClusterRoleStorage) Get(ctx apirequest.Context, name string, options *metav1.GetOptions) (runtime.Object, error) { - ret, err := s.roleStorage.Get(ctx, name, options) - if ret == nil { - return nil, err - } - - return authorizationapi.ToClusterRole(ret.(*authorizationapi.Role)), err -} -func (s *ClusterRoleStorage) Delete(ctx apirequest.Context, name string, options *metav1.DeleteOptions) (runtime.Object, bool, error) { - ret, immediate, err := s.roleStorage.Delete(ctx, name, options) - if ret == nil { - return nil, immediate, err - } - - return ret.(*metav1.Status), false, err -} - -func (s *ClusterRoleStorage) Create(ctx apirequest.Context, obj runtime.Object, _ bool) (runtime.Object, error) { - clusterObj := obj.(*authorizationapi.ClusterRole) - convertedObj := authorizationapi.ToRole(clusterObj) - - ret, err := s.roleStorage.Create(ctx, convertedObj, false) - if ret == nil { - return nil, err - } - - return authorizationapi.ToClusterRole(ret.(*authorizationapi.Role)), err -} - -type convertingObjectInfo struct { - rest.UpdatedObjectInfo -} - -func (i convertingObjectInfo) UpdatedObject(ctx apirequest.Context, old runtime.Object) (runtime.Object, error) { - oldObj := old.(*authorizationapi.Role) - convertedOldObj := authorizationapi.ToClusterRole(oldObj) - obj, err := i.UpdatedObjectInfo.UpdatedObject(ctx, convertedOldObj) - if err != nil { - return nil, err - } - clusterObj := obj.(*authorizationapi.ClusterRole) - convertedObj := authorizationapi.ToRole(clusterObj) - return convertedObj, nil -} - -func (s *ClusterRoleStorage) Update(ctx apirequest.Context, name string, objInfo rest.UpdatedObjectInfo) (runtime.Object, bool, error) { - ret, created, err := s.roleStorage.Update(ctx, name, convertingObjectInfo{objInfo}) - if ret == nil { - return nil, created, err - } - - return authorizationapi.ToClusterRole(ret.(*authorizationapi.Role)), created, err -} - -func (m *ClusterRoleStorage) CreateClusterRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, error) { - in := authorizationapi.ToRole(obj) - ret, err := m.roleStorage.CreateRoleWithEscalation(ctx, in) - return authorizationapi.ToClusterRole(ret), err -} - -func (m *ClusterRoleStorage) UpdateClusterRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, bool, error) { - in := authorizationapi.ToRole(obj) - ret, created, err := m.roleStorage.UpdateRoleWithEscalation(ctx, in) - return authorizationapi.ToClusterRole(ret), created, err -} - -func (m *ClusterRoleStorage) CreateRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.Role) (*authorizationapi.Role, error) { - return m.roleStorage.CreateRoleWithEscalation(ctx, obj) -} - -func (m *ClusterRoleStorage) UpdateRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.Role) (*authorizationapi.Role, bool, error) { - return m.roleStorage.UpdateRoleWithEscalation(ctx, obj) -} diff --git a/pkg/cmd/server/admin/legacyetcd/clusterrole/registry.go b/pkg/cmd/server/admin/legacyetcd/clusterrole/registry.go deleted file mode 100644 index ebed8443be01..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/clusterrole/registry.go +++ /dev/null @@ -1,21 +0,0 @@ -package clusterrole - -import ( - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" -) - -// Storage is an interface for a standard REST Storage backend -type Storage interface { - rest.Getter - rest.Lister - rest.CreaterUpdater - rest.GracefulDeleter - - // CreateRoleWithEscalation creates a new policyRole. Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound. - CreateClusterRoleWithEscalation(ctx apirequest.Context, policyRole *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, error) - // UpdateRoleWithEscalation updates a policyRole. Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound. - UpdateClusterRoleWithEscalation(ctx apirequest.Context, policyRole *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, bool, error) -} diff --git a/pkg/cmd/server/admin/legacyetcd/clusterrolebinding/proxy/proxy.go b/pkg/cmd/server/admin/legacyetcd/clusterrolebinding/proxy/proxy.go deleted file mode 100644 index fdabdffa9a8f..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/clusterrolebinding/proxy/proxy.go +++ /dev/null @@ -1,116 +0,0 @@ -package proxy - -import ( - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/authorization/rulevalidation" - clusterpolicybindingregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterrolebinding" - rolebindingregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/rolebinding" - rolebindingstorage "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/rolebinding/policybased" -) - -type ClusterRoleBindingStorage struct { - roleBindingStorage rolebindingstorage.VirtualStorage -} - -func NewClusterRoleBindingStorage(clusterBindingRegistry clusterpolicybindingregistry.Registry, liveRuleResolver, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) clusterrolebinding.Storage { - return &ClusterRoleBindingStorage{ - roleBindingStorage: rolebindingstorage.VirtualStorage{ - BindingRegistry: clusterpolicybindingregistry.NewSimulatedRegistry(clusterBindingRegistry), - - RuleResolver: liveRuleResolver, - CachedRuleResolver: cachedRuleResolver, - - CreateStrategy: rolebindingregistry.ClusterStrategy, - UpdateStrategy: rolebindingregistry.ClusterStrategy, - Resource: authorizationapi.Resource("clusterrolebinding"), - }, - } -} - -func (s *ClusterRoleBindingStorage) New() runtime.Object { - return &authorizationapi.ClusterRoleBinding{} -} -func (s *ClusterRoleBindingStorage) NewList() runtime.Object { - return &authorizationapi.ClusterRoleBindingList{} -} - -func (s *ClusterRoleBindingStorage) List(ctx apirequest.Context, options *metainternal.ListOptions) (runtime.Object, error) { - ret, err := s.roleBindingStorage.List(ctx, options) - if ret == nil { - return nil, err - } - return authorizationapi.ToClusterRoleBindingList(ret.(*authorizationapi.RoleBindingList)), err -} - -func (s *ClusterRoleBindingStorage) Get(ctx apirequest.Context, name string, options *metav1.GetOptions) (runtime.Object, error) { - ret, err := s.roleBindingStorage.Get(ctx, name, options) - if ret == nil { - return nil, err - } - - return authorizationapi.ToClusterRoleBinding(ret.(*authorizationapi.RoleBinding)), err -} -func (s *ClusterRoleBindingStorage) Delete(ctx apirequest.Context, name string, options *metav1.DeleteOptions) (runtime.Object, bool, error) { - ret, immediate, err := s.roleBindingStorage.Delete(ctx, name, options) - if ret == nil { - return nil, immediate, err - } - - return ret.(*metav1.Status), false, err -} - -func (s *ClusterRoleBindingStorage) Create(ctx apirequest.Context, obj runtime.Object, _ bool) (runtime.Object, error) { - clusterObj := obj.(*authorizationapi.ClusterRoleBinding) - convertedObj := authorizationapi.ToRoleBinding(clusterObj) - - ret, err := s.roleBindingStorage.Create(ctx, convertedObj, false) - if ret == nil { - return nil, err - } - - return authorizationapi.ToClusterRoleBinding(ret.(*authorizationapi.RoleBinding)), err -} - -type convertingObjectInfo struct { - rest.UpdatedObjectInfo -} - -func (i convertingObjectInfo) UpdatedObject(ctx apirequest.Context, old runtime.Object) (runtime.Object, error) { - oldObj := old.(*authorizationapi.RoleBinding) - convertedOldObj := authorizationapi.ToClusterRoleBinding(oldObj) - obj, err := i.UpdatedObjectInfo.UpdatedObject(ctx, convertedOldObj) - if err != nil { - return nil, err - } - clusterObj := obj.(*authorizationapi.ClusterRoleBinding) - convertedObj := authorizationapi.ToRoleBinding(clusterObj) - return convertedObj, nil -} - -func (s *ClusterRoleBindingStorage) Update(ctx apirequest.Context, name string, objInfo rest.UpdatedObjectInfo) (runtime.Object, bool, error) { - ret, created, err := s.roleBindingStorage.Update(ctx, name, convertingObjectInfo{objInfo}) - if ret == nil { - return nil, created, err - } - - return authorizationapi.ToClusterRoleBinding(ret.(*authorizationapi.RoleBinding)), created, err -} - -func (m *ClusterRoleBindingStorage) CreateClusterRoleBindingWithEscalation(ctx apirequest.Context, obj *authorizationapi.ClusterRoleBinding) (*authorizationapi.ClusterRoleBinding, error) { - in := authorizationapi.ToRoleBinding(obj) - ret, err := m.roleBindingStorage.CreateRoleBindingWithEscalation(ctx, in) - return authorizationapi.ToClusterRoleBinding(ret), err -} - -func (m *ClusterRoleBindingStorage) UpdateClusterRoleBindingWithEscalation(ctx apirequest.Context, obj *authorizationapi.ClusterRoleBinding) (*authorizationapi.ClusterRoleBinding, bool, error) { - in := authorizationapi.ToRoleBinding(obj) - ret, created, err := m.roleBindingStorage.UpdateRoleBindingWithEscalation(ctx, in) - return authorizationapi.ToClusterRoleBinding(ret), created, err -} diff --git a/pkg/cmd/server/admin/legacyetcd/clusterrolebinding/registry.go b/pkg/cmd/server/admin/legacyetcd/clusterrolebinding/registry.go deleted file mode 100644 index 3cecb74da986..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/clusterrolebinding/registry.go +++ /dev/null @@ -1,21 +0,0 @@ -package clusterrolebinding - -import ( - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" -) - -// Storage is an interface for a standard REST Storage backend -type Storage interface { - rest.Getter - rest.Lister - rest.CreaterUpdater - rest.GracefulDeleter - - // CreateRoleBinding creates a new policyRoleBinding. Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound. - CreateClusterRoleBindingWithEscalation(ctx apirequest.Context, policyRoleBinding *authorizationapi.ClusterRoleBinding) (*authorizationapi.ClusterRoleBinding, error) - // UpdateRoleBinding updates a policyRoleBinding. Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound. - UpdateClusterRoleBindingWithEscalation(ctx apirequest.Context, policyRoleBinding *authorizationapi.ClusterRoleBinding) (*authorizationapi.ClusterRoleBinding, bool, error) -} diff --git a/pkg/cmd/server/admin/legacyetcd/policy/etcd/etcd.go b/pkg/cmd/server/admin/legacyetcd/policy/etcd/etcd.go deleted file mode 100644 index e8bc6a60afca..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/policy/etcd/etcd.go +++ /dev/null @@ -1,37 +0,0 @@ -package etcd - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apiserver/pkg/registry/generic" - "k8s.io/apiserver/pkg/registry/generic/registry" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policy" - "github.com/openshift/origin/pkg/util/restoptions" -) - -type REST struct { - *registry.Store -} - -// NewREST returns a RESTStorage object that will work against Policy objects. -func NewREST(optsGetter restoptions.Getter) (*REST, error) { - store := ®istry.Store{ - Copier: kapi.Scheme, - NewFunc: func() runtime.Object { return &authorizationapi.Policy{} }, - NewListFunc: func() runtime.Object { return &authorizationapi.PolicyList{} }, - DefaultQualifiedResource: authorizationapi.Resource("policies"), - - CreateStrategy: policy.Strategy, - UpdateStrategy: policy.Strategy, - DeleteStrategy: policy.Strategy, - } - - options := &generic.StoreOptions{RESTOptions: optsGetter} - if err := store.CompleteWithOptions(options); err != nil { - return nil, err - } - - return &REST{store}, nil -} diff --git a/pkg/cmd/server/admin/legacyetcd/policy/registry.go b/pkg/cmd/server/admin/legacyetcd/policy/registry.go deleted file mode 100644 index f3d2d40b3998..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/policy/registry.go +++ /dev/null @@ -1,119 +0,0 @@ -package policy - -import ( - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/watch" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - authorizationlister "github.com/openshift/origin/pkg/authorization/generated/listers/authorization/internalversion" -) - -// Registry is an interface for things that know how to store Policies. -type Registry interface { - // ListPolicies obtains list of policies that match a selector. - ListPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.PolicyList, error) - // GetPolicy retrieves a specific policy. - GetPolicy(ctx apirequest.Context, id string, options *metav1.GetOptions) (*authorizationapi.Policy, error) - // CreatePolicy creates a new policy. - CreatePolicy(ctx apirequest.Context, policy *authorizationapi.Policy) error - // UpdatePolicy updates a policy. - UpdatePolicy(ctx apirequest.Context, policy *authorizationapi.Policy) error - // DeletePolicy deletes a policy. - DeletePolicy(ctx apirequest.Context, id string) error -} - -type WatchingRegistry interface { - Registry - // WatchPolicies watches policies. - WatchPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) -} - -// Storage is an interface for a standard REST Storage backend -type Storage interface { - rest.StandardStorage -} - -// storage puts strong typing around storage calls -type storage struct { - Storage -} - -// NewRegistry returns a new Registry interface for the given Storage. Any mismatched -// types will panic. -func NewRegistry(s Storage) WatchingRegistry { - return &storage{s} -} - -func (s *storage) ListPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.PolicyList, error) { - obj, err := s.List(ctx, options) - if err != nil { - return nil, err - } - - return obj.(*authorizationapi.PolicyList), nil -} - -func (s *storage) CreatePolicy(ctx apirequest.Context, node *authorizationapi.Policy) error { - _, err := s.Create(ctx, node, false) - return err -} - -func (s *storage) UpdatePolicy(ctx apirequest.Context, node *authorizationapi.Policy) error { - _, _, err := s.Update(ctx, node.Name, rest.DefaultUpdatedObjectInfo(node, kapi.Scheme)) - return err -} - -func (s *storage) WatchPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) { - return s.Watch(ctx, options) -} - -func (s *storage) GetPolicy(ctx apirequest.Context, name string, options *metav1.GetOptions) (*authorizationapi.Policy, error) { - obj, err := s.Get(ctx, name, options) - if err != nil { - return nil, err - } - return obj.(*authorizationapi.Policy), nil -} - -func (s *storage) DeletePolicy(ctx apirequest.Context, name string) error { - _, _, err := s.Delete(ctx, name, nil) - return err -} - -type ReadOnlyPolicyListerNamespacer struct { - Registry Registry -} - -func (s ReadOnlyPolicyListerNamespacer) Policies(namespace string) authorizationlister.PolicyNamespaceLister { - return readOnlyPolicyLister{registry: s.Registry, namespace: namespace} -} - -func (s ReadOnlyPolicyListerNamespacer) List(label labels.Selector) ([]*authorizationapi.Policy, error) { - return s.Policies("").List(label) -} - -type readOnlyPolicyLister struct { - registry Registry - namespace string -} - -func (s readOnlyPolicyLister) List(label labels.Selector) ([]*authorizationapi.Policy, error) { - list, err := s.registry.ListPolicies(apirequest.WithNamespace(apirequest.NewContext(), s.namespace), &metainternal.ListOptions{LabelSelector: label}) - if err != nil { - return nil, err - } - var items []*authorizationapi.Policy - for i := range list.Items { - items = append(items, &list.Items[i]) - } - return items, nil -} - -func (s readOnlyPolicyLister) Get(name string) (*authorizationapi.Policy, error) { - return s.registry.GetPolicy(apirequest.WithNamespace(apirequest.NewContext(), s.namespace), name, &metav1.GetOptions{}) -} diff --git a/pkg/cmd/server/admin/legacyetcd/policy/strategy.go b/pkg/cmd/server/admin/legacyetcd/policy/strategy.go deleted file mode 100644 index cebaef3d0ebd..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/policy/strategy.go +++ /dev/null @@ -1,63 +0,0 @@ -package policy - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/validation/field" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/authorization/apis/authorization/validation" -) - -// strategy implements behavior for nodes -type strategy struct { - runtime.ObjectTyper -} - -// Strategy is the default logic that applies when creating and updating Policy objects. -var Strategy = strategy{kapi.Scheme} - -// NamespaceScoped is true for policies. -func (strategy) NamespaceScoped() bool { - return true -} - -// AllowCreateOnUpdate is false for policies. -func (strategy) AllowCreateOnUpdate() bool { - return false -} - -func (strategy) AllowUnconditionalUpdate() bool { - return false -} - -func (strategy) GenerateName(base string) string { - return base -} - -// PrepareForCreate clears fields that are not allowed to be set by end users on creation. -func (strategy) PrepareForCreate(ctx apirequest.Context, obj runtime.Object) { - policy := obj.(*authorizationapi.Policy) - - policy.Name = authorizationapi.PolicyName -} - -// PrepareForUpdate clears fields that are not allowed to be set by end users on update. -func (strategy) PrepareForUpdate(ctx apirequest.Context, obj, old runtime.Object) { - _ = obj.(*authorizationapi.Policy) -} - -// Canonicalize normalizes the object after validation. -func (strategy) Canonicalize(obj runtime.Object) { -} - -// Validate validates a new policy. -func (strategy) Validate(ctx apirequest.Context, obj runtime.Object) field.ErrorList { - return validation.ValidateLocalPolicy(obj.(*authorizationapi.Policy)) -} - -// ValidateUpdate is the default update validation for an end user. -func (strategy) ValidateUpdate(ctx apirequest.Context, obj, old runtime.Object) field.ErrorList { - return validation.ValidateLocalPolicyUpdate(obj.(*authorizationapi.Policy), old.(*authorizationapi.Policy)) -} diff --git a/pkg/cmd/server/admin/legacyetcd/policybinding/etcd/etcd.go b/pkg/cmd/server/admin/legacyetcd/policybinding/etcd/etcd.go deleted file mode 100644 index b39c08f2556c..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/policybinding/etcd/etcd.go +++ /dev/null @@ -1,51 +0,0 @@ -package etcd - -import ( - "fmt" - - "k8s.io/apimachinery/pkg/fields" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apiserver/pkg/registry/generic" - "k8s.io/apiserver/pkg/registry/generic/registry" - "k8s.io/apiserver/pkg/storage" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policybinding" - "github.com/openshift/origin/pkg/util/restoptions" -) - -type REST struct { - *registry.Store -} - -// NewREST returns a RESTStorage object that will work against PolicyBinding objects. -func NewREST(optsGetter restoptions.Getter) (*REST, error) { - store := ®istry.Store{ - Copier: kapi.Scheme, - NewFunc: func() runtime.Object { return &authorizationapi.PolicyBinding{} }, - NewListFunc: func() runtime.Object { return &authorizationapi.PolicyBindingList{} }, - DefaultQualifiedResource: authorizationapi.Resource("policybindings"), - - CreateStrategy: policybinding.Strategy, - UpdateStrategy: policybinding.Strategy, - DeleteStrategy: policybinding.Strategy, - } - - options := &generic.StoreOptions{RESTOptions: optsGetter, - AttrFunc: storage.AttrFunc(storage.DefaultNamespaceScopedAttr).WithFieldMutation(FieldSetMutator)} - if err := store.CompleteWithOptions(options); err != nil { - return nil, err - } - - return &REST{store}, nil -} - -func FieldSetMutator(obj runtime.Object, fieldSet fields.Set) error { - policyBinding, ok := obj.(*authorizationapi.PolicyBinding) - if !ok { - return fmt.Errorf("%T not a PolicyBinding", obj) - } - fieldSet["policyRef.namespace"] = policyBinding.PolicyRef.Namespace - return nil -} diff --git a/pkg/cmd/server/admin/legacyetcd/policybinding/registry.go b/pkg/cmd/server/admin/legacyetcd/policybinding/registry.go deleted file mode 100644 index f74ef45c9a50..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/policybinding/registry.go +++ /dev/null @@ -1,119 +0,0 @@ -package policybinding - -import ( - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/watch" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - authorizationlister "github.com/openshift/origin/pkg/authorization/generated/listers/authorization/internalversion" -) - -// Registry is an interface for things that know how to store PolicyBindings. -type Registry interface { - // ListPolicyBindings obtains list of policyBindings that match a selector. - ListPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.PolicyBindingList, error) - // GetPolicyBinding retrieves a specific policyBinding. - GetPolicyBinding(ctx apirequest.Context, name string, options *metav1.GetOptions) (*authorizationapi.PolicyBinding, error) - // CreatePolicyBinding creates a new policyBinding. - CreatePolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.PolicyBinding) error - // UpdatePolicyBinding updates a policyBinding. - UpdatePolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.PolicyBinding) error - // DeletePolicyBinding deletes a policyBinding. - DeletePolicyBinding(ctx apirequest.Context, name string) error -} - -type WatchingRegistry interface { - Registry - // WatchPolicyBindings watches policyBindings. - WatchPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) -} - -// Storage is an interface for a standard REST Storage backend -type Storage interface { - rest.StandardStorage -} - -// storage puts strong typing around storage calls -type storage struct { - Storage -} - -// NewRegistry returns a new Registry interface for the given Storage. Any mismatched -// types will panic. -func NewRegistry(s Storage) WatchingRegistry { - return &storage{s} -} - -func (s *storage) ListPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.PolicyBindingList, error) { - obj, err := s.List(ctx, options) - if err != nil { - return nil, err - } - - return obj.(*authorizationapi.PolicyBindingList), nil -} - -func (s *storage) CreatePolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.PolicyBinding) error { - _, err := s.Create(ctx, policyBinding, false) - return err -} - -func (s *storage) UpdatePolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.PolicyBinding) error { - _, _, err := s.Update(ctx, policyBinding.Name, rest.DefaultUpdatedObjectInfo(policyBinding, kapi.Scheme)) - return err -} - -func (s *storage) WatchPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) { - return s.Watch(ctx, options) -} - -func (s *storage) GetPolicyBinding(ctx apirequest.Context, name string, options *metav1.GetOptions) (*authorizationapi.PolicyBinding, error) { - obj, err := s.Get(ctx, name, options) - if err != nil { - return nil, err - } - return obj.(*authorizationapi.PolicyBinding), nil -} - -func (s *storage) DeletePolicyBinding(ctx apirequest.Context, name string) error { - _, _, err := s.Delete(ctx, name, nil) - return err -} - -type ReadOnlyPolicyBindingListerNamespacer struct { - Registry Registry -} - -func (s ReadOnlyPolicyBindingListerNamespacer) PolicyBindings(namespace string) authorizationlister.PolicyBindingNamespaceLister { - return policyBindingLister{registry: s.Registry, namespace: namespace} -} - -func (s ReadOnlyPolicyBindingListerNamespacer) List(label labels.Selector) ([]*authorizationapi.PolicyBinding, error) { - return s.PolicyBindings("").List(label) -} - -type policyBindingLister struct { - registry Registry - namespace string -} - -func (s policyBindingLister) List(label labels.Selector) ([]*authorizationapi.PolicyBinding, error) { - list, err := s.registry.ListPolicyBindings(apirequest.WithNamespace(apirequest.NewContext(), s.namespace), &metainternal.ListOptions{LabelSelector: label}) - if err != nil { - return nil, err - } - var items []*authorizationapi.PolicyBinding - for i := range list.Items { - items = append(items, &list.Items[i]) - } - return items, nil -} - -func (s policyBindingLister) Get(name string) (*authorizationapi.PolicyBinding, error) { - return s.registry.GetPolicyBinding(apirequest.WithNamespace(apirequest.NewContext(), s.namespace), name, &metav1.GetOptions{}) -} diff --git a/pkg/cmd/server/admin/legacyetcd/policybinding/strategy.go b/pkg/cmd/server/admin/legacyetcd/policybinding/strategy.go deleted file mode 100644 index d08b3b1224bd..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/policybinding/strategy.go +++ /dev/null @@ -1,90 +0,0 @@ -package policybinding - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/validation/field" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/authorization/apis/authorization/validation" -) - -// strategy implements behavior for nodes -type strategy struct { - runtime.ObjectTyper -} - -var Strategy = strategy{kapi.Scheme} - -// NamespaceScoped is true for policybindings. -func (strategy) NamespaceScoped() bool { - return true -} - -// AllowCreateOnUpdate is false for policybindings. -func (strategy) AllowCreateOnUpdate() bool { - return false -} - -func (strategy) AllowUnconditionalUpdate() bool { - return false -} - -func (strategy) GenerateName(base string) string { - return base -} - -// PrepareForCreate clears fields that are not allowed to be set by end users on creation. -func (s strategy) PrepareForCreate(ctx apirequest.Context, obj runtime.Object) { - binding := obj.(*authorizationapi.PolicyBinding) - - s.scrubBindingRefs(binding) - // force a delimited name, just in case we someday allow a reference to a global object that won't have a namespace. We'll end up with a name like ":default". - // ":" is not in the value space of namespaces, so no escaping is necessary - binding.Name = authorizationapi.GetPolicyBindingName(binding.PolicyRef.Namespace) -} - -// scrubBindingRefs discards pieces of the object references that we don't respect to avoid confusion. -func (s strategy) scrubBindingRefs(binding *authorizationapi.PolicyBinding) { - binding.PolicyRef = kapi.ObjectReference{Namespace: binding.PolicyRef.Namespace, Name: authorizationapi.PolicyName} - - for roleBindingKey, roleBinding := range binding.RoleBindings { - roleBinding.RoleRef = kapi.ObjectReference{Namespace: binding.PolicyRef.Namespace, Name: roleBinding.RoleRef.Name} - binding.RoleBindings[roleBindingKey] = roleBinding - } -} - -// PrepareForUpdate clears fields that are not allowed to be set by end users on update. -func (s strategy) PrepareForUpdate(ctx apirequest.Context, obj, old runtime.Object) { - binding := obj.(*authorizationapi.PolicyBinding) - - s.scrubBindingRefs(binding) -} - -// Canonicalize normalizes the object after validation. -func (strategy) Canonicalize(obj runtime.Object) { -} - -// Validate validates a new policyBinding. -func (strategy) Validate(ctx apirequest.Context, obj runtime.Object) field.ErrorList { - return validation.ValidateLocalPolicyBinding(obj.(*authorizationapi.PolicyBinding)) -} - -// ValidateUpdate is the default update validation for an end user. -func (strategy) ValidateUpdate(ctx apirequest.Context, obj, old runtime.Object) field.ErrorList { - return validation.ValidateLocalPolicyBindingUpdate(obj.(*authorizationapi.PolicyBinding), old.(*authorizationapi.PolicyBinding)) -} - -func NewEmptyPolicyBinding(namespace, policyNamespace, policyBindingName string) *authorizationapi.PolicyBinding { - binding := &authorizationapi.PolicyBinding{} - binding.Name = policyBindingName - binding.Namespace = namespace - binding.CreationTimestamp = metav1.Now() - binding.LastModified = binding.CreationTimestamp - binding.PolicyRef = kapi.ObjectReference{Name: authorizationapi.PolicyName, Namespace: policyNamespace} - binding.RoleBindings = make(map[string]*authorizationapi.RoleBinding) - - return binding -} diff --git a/pkg/cmd/server/admin/legacyetcd/role/policybased/virtual_storage.go b/pkg/cmd/server/admin/legacyetcd/role/policybased/virtual_storage.go deleted file mode 100644 index 51c7f89b4d34..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/role/policybased/virtual_storage.go +++ /dev/null @@ -1,302 +0,0 @@ -package policybased - -import ( - "errors" - "fmt" - "sort" - - kapierrors "k8s.io/apimachinery/pkg/api/errors" - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/generic/registry" - "k8s.io/apiserver/pkg/registry/rest" - "k8s.io/client-go/util/retry" - kapi "k8s.io/kubernetes/pkg/api" - kapihelper "k8s.io/kubernetes/pkg/api/helper" - - oapi "github.com/openshift/origin/pkg/api" - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - authorizationinterfaces "github.com/openshift/origin/pkg/authorization/interfaces" - "github.com/openshift/origin/pkg/authorization/rulevalidation" - policyregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policy" - roleregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/role" -) - -// TODO sort out resourceVersions. Perhaps a hash of the object contents? - -type VirtualStorage struct { - PolicyStorage policyregistry.Registry - - RuleResolver rulevalidation.AuthorizationRuleResolver - CachedRuleResolver rulevalidation.AuthorizationRuleResolver - - CreateStrategy rest.RESTCreateStrategy - UpdateStrategy rest.RESTUpdateStrategy - Resource schema.GroupResource -} - -// NewVirtualStorage creates a new REST for policies. -func NewVirtualStorage(policyRegistry policyregistry.Registry, liveRuleResolver, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) roleregistry.Storage { - return &VirtualStorage{ - PolicyStorage: policyRegistry, - - RuleResolver: liveRuleResolver, - CachedRuleResolver: cachedRuleResolver, - - CreateStrategy: roleregistry.LocalStrategy, - UpdateStrategy: roleregistry.LocalStrategy, - Resource: authorizationapi.Resource("role"), - } -} - -func (m *VirtualStorage) New() runtime.Object { - return &authorizationapi.Role{} -} -func (m *VirtualStorage) NewList() runtime.Object { - return &authorizationapi.RoleList{} -} - -func (m *VirtualStorage) List(ctx apirequest.Context, options *metainternal.ListOptions) (runtime.Object, error) { - policyList, err := m.PolicyStorage.ListPolicies(ctx, &metainternal.ListOptions{}) - if err != nil { - return nil, err - } - - matcher := roleregistry.Matcher(oapi.InternalListOptionsToSelectors(options)) - - roleList := &authorizationapi.RoleList{} - for _, policy := range policyList.Items { - for _, role := range policy.Roles { - if matches, err := matcher.Matches(role); err == nil && matches { - roleList.Items = append(roleList.Items, *role) - } - } - } - - sort.Sort(byName(roleList.Items)) - return roleList, nil -} - -func (m *VirtualStorage) Get(ctx apirequest.Context, name string, options *metav1.GetOptions) (runtime.Object, error) { - policy, err := m.PolicyStorage.GetPolicy(ctx, authorizationapi.PolicyName, options) - if kapierrors.IsNotFound(err) { - return nil, kapierrors.NewNotFound(m.Resource, name) - } - if err != nil { - return nil, err - } - - role, exists := policy.Roles[name] - if !exists { - return nil, kapierrors.NewNotFound(m.Resource, name) - } - - return role, nil -} - -func (m *VirtualStorage) Delete(ctx apirequest.Context, name string, options *metav1.DeleteOptions) (runtime.Object, bool, error) { - if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { - policy, err := m.PolicyStorage.GetPolicy(ctx, authorizationapi.PolicyName, &metav1.GetOptions{}) - if kapierrors.IsNotFound(err) { - return kapierrors.NewNotFound(m.Resource, name) - } - if err != nil { - return err - } - - if _, exists := policy.Roles[name]; !exists { - return kapierrors.NewNotFound(m.Resource, name) - } - - delete(policy.Roles, name) - policy.LastModified = metav1.Now() - - return m.PolicyStorage.UpdatePolicy(ctx, policy) - }); err != nil { - return nil, false, err - } - - return &metav1.Status{Status: metav1.StatusSuccess}, true, nil -} - -func (m *VirtualStorage) Create(ctx apirequest.Context, obj runtime.Object, _ bool) (runtime.Object, error) { - return m.createRole(ctx, obj, rulevalidation.EscalationAllowed(ctx)) -} - -func (m *VirtualStorage) CreateRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.Role) (*authorizationapi.Role, error) { - return m.createRole(ctx, obj, true) -} - -func (m *VirtualStorage) createRole(ctx apirequest.Context, obj runtime.Object, allowEscalation bool) (*authorizationapi.Role, error) { - // Copy object before passing to BeforeCreate, since it mutates - objCopy, err := kapi.Scheme.DeepCopy(obj) - if err != nil { - return nil, err - } - obj = objCopy.(runtime.Object) - - if err := rest.BeforeCreate(m.CreateStrategy, ctx, obj); err != nil { - return nil, err - } - - role := obj.(*authorizationapi.Role) - if !allowEscalation { - if err := rulevalidation.ConfirmNoEscalation(ctx, m.Resource, role.Name, m.RuleResolver, m.CachedRuleResolver, authorizationinterfaces.NewLocalRoleAdapter(role)); err != nil { - return nil, err - } - } - - if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { - policy, err := m.EnsurePolicy(ctx) - if err != nil { - return err - } - if _, exists := policy.Roles[role.Name]; exists { - return kapierrors.NewAlreadyExists(m.Resource, role.Name) - } - - role.ResourceVersion = policy.ResourceVersion - policy.Roles[role.Name] = role - policy.LastModified = metav1.Now() - - return m.PolicyStorage.UpdatePolicy(ctx, policy) - }); err != nil { - return nil, err - } - - return role, nil -} - -func (m *VirtualStorage) Update(ctx apirequest.Context, name string, objInfo rest.UpdatedObjectInfo) (runtime.Object, bool, error) { - return m.updateRole(ctx, name, objInfo, rulevalidation.EscalationAllowed(ctx)) -} -func (m *VirtualStorage) UpdateRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.Role) (*authorizationapi.Role, bool, error) { - return m.updateRole(ctx, obj.Name, rest.DefaultUpdatedObjectInfo(obj, kapi.Scheme), true) -} - -func (m *VirtualStorage) updateRole(ctx apirequest.Context, name string, objInfo rest.UpdatedObjectInfo, allowEscalation bool) (*authorizationapi.Role, bool, error) { - var updatedRole *authorizationapi.Role - var roleConflicted = false - - // Retry if the policy update hits a conflict - if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { - policy, err := m.PolicyStorage.GetPolicy(ctx, authorizationapi.PolicyName, &metav1.GetOptions{}) - if kapierrors.IsNotFound(err) { - return kapierrors.NewNotFound(m.Resource, name) - } - if err != nil { - return err - } - - oldRole, exists := policy.Roles[name] - if !exists { - return kapierrors.NewNotFound(m.Resource, name) - } - - obj, err := objInfo.UpdatedObject(ctx, oldRole) - if err != nil { - return err - } - - role, ok := obj.(*authorizationapi.Role) - if !ok { - return kapierrors.NewBadRequest(fmt.Sprintf("obj is not a role: %#v", obj)) - } - - if len(role.ResourceVersion) == 0 && m.UpdateStrategy.AllowUnconditionalUpdate() { - role.ResourceVersion = oldRole.ResourceVersion - } - - if err := rest.BeforeUpdate(m.UpdateStrategy, ctx, obj, oldRole); err != nil { - return err - } - - if !allowEscalation { - if err := rulevalidation.ConfirmNoEscalation(ctx, m.Resource, role.Name, m.RuleResolver, m.CachedRuleResolver, authorizationinterfaces.NewLocalRoleAdapter(role)); err != nil { - return err - } - } - - // conflict detection - if role.ResourceVersion != oldRole.ResourceVersion { - // mark as a conflict err, but return an untyped error to escape the retry - roleConflicted = true - return errors.New(registry.OptimisticLockErrorMsg) - } - // non-mutating change - if kapihelper.Semantic.DeepEqual(oldRole, role) { - updatedRole = role - return nil - } - - role.ResourceVersion = policy.ResourceVersion - policy.Roles[role.Name] = role - policy.LastModified = metav1.Now() - - if err := m.PolicyStorage.UpdatePolicy(ctx, policy); err != nil { - return err - } - updatedRole = role - return nil - }); err != nil { - if roleConflicted { - // construct the typed conflict error - return nil, false, kapierrors.NewConflict(authorizationapi.Resource("name"), name, err) - } - return nil, false, err - } - - return updatedRole, false, nil -} - -// EnsurePolicy returns the policy object for the specified namespace. If one does not exist, it is created for you. Permission to -// create, update, or delete roles in a namespace implies the ability to create a Policy object itself. -func (m *VirtualStorage) EnsurePolicy(ctx apirequest.Context) (*authorizationapi.Policy, error) { - policy, err := m.PolicyStorage.GetPolicy(ctx, authorizationapi.PolicyName, &metav1.GetOptions{}) - if err != nil { - if !kapierrors.IsNotFound(err) { - return nil, err - } - - // if we have no policy, go ahead and make one. creating one here collapses code paths below. We only take this hit once - policy = NewEmptyPolicy(apirequest.NamespaceValue(ctx)) - if err := m.PolicyStorage.CreatePolicy(ctx, policy); err != nil { - // Tolerate the policy having been created in the meantime - if !kapierrors.IsAlreadyExists(err) { - return nil, err - } - } - - policy, err = m.PolicyStorage.GetPolicy(ctx, authorizationapi.PolicyName, &metav1.GetOptions{}) - if err != nil { - return nil, err - } - - } - - if policy.Roles == nil { - policy.Roles = make(map[string]*authorizationapi.Role) - } - - return policy, nil -} - -func NewEmptyPolicy(namespace string) *authorizationapi.Policy { - policy := &authorizationapi.Policy{} - policy.Name = authorizationapi.PolicyName - policy.Namespace = namespace - policy.CreationTimestamp = metav1.Now() - policy.LastModified = policy.CreationTimestamp - policy.Roles = make(map[string]*authorizationapi.Role) - - return policy -} - -type byName []authorizationapi.Role - -func (r byName) Len() int { return len(r) } -func (r byName) Swap(i, j int) { r[i], r[j] = r[j], r[i] } -func (r byName) Less(i, j int) bool { return r[i].Name < r[j].Name } diff --git a/pkg/cmd/server/admin/legacyetcd/role/policybased/virtual_storage_test.go b/pkg/cmd/server/admin/legacyetcd/role/policybased/virtual_storage_test.go deleted file mode 100644 index 12928b193c41..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/role/policybased/virtual_storage_test.go +++ /dev/null @@ -1,286 +0,0 @@ -package policybased - -import ( - "reflect" - "testing" - - kapierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/diff" - "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/apiserver/pkg/authentication/user" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - _ "github.com/openshift/origin/pkg/authorization/apis/authorization/install" - "github.com/openshift/origin/pkg/authorization/rulevalidation" - roleregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/role" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/test" -) - -func testNewLocalPolicies() []authorizationapi.Policy { - return []authorizationapi.Policy{ - { - ObjectMeta: metav1.ObjectMeta{Name: authorizationapi.PolicyName, Namespace: "unittest"}, - Roles: map[string]*authorizationapi.Role{}, - }, - } -} - -func makeLocalTestStorage() roleregistry.Storage { - policyRegistry := test.NewPolicyRegistry(testNewLocalPolicies(), nil) - - return NewVirtualStorage(policyRegistry, rulevalidation.NewDefaultRuleResolver(policyRegistry, &test.PolicyBindingRegistry{}, &test.ClusterPolicyRegistry{}, &test.ClusterPolicyBindingRegistry{}), nil) -} - -func TestCreateValidationError(t *testing.T) { - storage := makeLocalTestStorage() - - role := &authorizationapi.Role{} - - ctx := apirequest.WithNamespace(apirequest.NewContext(), "unittest") - _, err := storage.Create(ctx, role, false) - if err == nil { - t.Errorf("Expected validation error") - } -} - -func TestCreateValid(t *testing.T) { - storage := makeLocalTestStorage() - - role := &authorizationapi.Role{ - ObjectMeta: metav1.ObjectMeta{Name: "my-role"}, - } - - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - obj, err := storage.Create(ctx, role, false) - if err != nil { - t.Errorf("unexpected error: %v", err) - } - - switch r := obj.(type) { - case *metav1.Status: - t.Errorf("Got back unexpected status: %#v", r) - case *authorizationapi.Role: - // expected case - default: - t.Errorf("Got unexpected type: %#v", r) - } -} - -func TestUpdate(t *testing.T) { - storage := makeLocalTestStorage() - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - realizedRoleObj, err := storage.Create(ctx, &authorizationapi.Role{ - ObjectMeta: metav1.ObjectMeta{Name: "my-role"}, - Rules: []authorizationapi.PolicyRule{ - {Verbs: sets.NewString(authorizationapi.VerbAll)}, - }, - }, false) - if err != nil { - t.Fatalf("unexpected error: %v", err) - } - - realizedRole := realizedRoleObj.(*authorizationapi.Role) - - role := &authorizationapi.Role{ - ObjectMeta: realizedRole.ObjectMeta, - Rules: []authorizationapi.PolicyRule{ - {Verbs: sets.NewString("list", "update")}, - }, - } - - obj, created, err := storage.Update(ctx, role.Name, rest.DefaultUpdatedObjectInfo(role, kapi.Scheme)) - if err != nil || created { - t.Errorf("Unexpected error %v", err) - } - - switch actual := obj.(type) { - case *metav1.Status: - t.Errorf("Unexpected operation error: %v", obj) - - case *authorizationapi.Role: - if realizedRole.ResourceVersion == actual.ResourceVersion { - t.Errorf("Expected change to role binding. Expected: %s, Got: %s", realizedRole.ResourceVersion, actual.ResourceVersion) - } - role.ResourceVersion = actual.ResourceVersion - if !reflect.DeepEqual(role, obj) { - t.Errorf("Updated role does not match input role. %s", diff.ObjectReflectDiff(role, obj)) - } - default: - t.Errorf("Unexpected result type: %v", obj) - } -} - -func TestUnconditionalUpdate(t *testing.T) { - storage := makeLocalTestStorage() - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - realizedRoleObj, err := storage.Create(ctx, &authorizationapi.Role{ - ObjectMeta: metav1.ObjectMeta{Name: "my-role"}, - Rules: []authorizationapi.PolicyRule{ - {Verbs: sets.NewString(authorizationapi.VerbAll)}, - }, - }, false) - if err != nil { - t.Fatalf("unexpected error: %v", err) - } - - realizedRole := realizedRoleObj.(*authorizationapi.Role) - - role := &authorizationapi.Role{ - ObjectMeta: realizedRole.ObjectMeta, - Rules: []authorizationapi.PolicyRule{ - {Verbs: sets.NewString("list", "update")}, - }, - } - role.ResourceVersion = "" - - obj, created, err := storage.Update(ctx, role.Name, rest.DefaultUpdatedObjectInfo(role, kapi.Scheme)) - if err != nil || created { - t.Errorf("Unexpected error %v", err) - } - - switch actual := obj.(type) { - case *metav1.Status: - t.Errorf("Unexpected operation error: %v", obj) - - case *authorizationapi.Role: - if realizedRole.ResourceVersion == actual.ResourceVersion { - t.Errorf("Expected change to role binding. Expected: %s, Got: %s", realizedRole.ResourceVersion, actual.ResourceVersion) - } - role.ResourceVersion = actual.ResourceVersion - if !reflect.DeepEqual(role, obj) { - t.Errorf("Updated role does not match input role. %s", diff.ObjectReflectDiff(role, obj)) - } - default: - t.Errorf("Unexpected result type: %v", obj) - } -} - -func TestConflictingUpdate(t *testing.T) { - storage := makeLocalTestStorage() - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - realizedRoleObj, err := storage.Create(ctx, &authorizationapi.Role{ - ObjectMeta: metav1.ObjectMeta{Name: "my-role"}, - Rules: []authorizationapi.PolicyRule{ - {Verbs: sets.NewString(authorizationapi.VerbAll)}, - }, - }, false) - if err != nil { - t.Fatalf("unexpected error: %v", err) - } - - realizedRole := realizedRoleObj.(*authorizationapi.Role) - - role := &authorizationapi.Role{ - ObjectMeta: realizedRole.ObjectMeta, - Rules: []authorizationapi.PolicyRule{ - {Verbs: sets.NewString("list", "update")}, - }, - } - role.ResourceVersion += "1" - - _, _, err = storage.Update(ctx, role.Name, rest.DefaultUpdatedObjectInfo(role, kapi.Scheme)) - if err == nil || !kapierrors.IsConflict(err) { - t.Errorf("Expected conflict error, got: %#v", err) - } -} - -func TestUpdateNoOp(t *testing.T) { - storage := makeLocalTestStorage() - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - realizedRoleObj, err := storage.Create(ctx, &authorizationapi.Role{ - ObjectMeta: metav1.ObjectMeta{Name: "my-role"}, - Rules: []authorizationapi.PolicyRule{ - {Verbs: sets.NewString(authorizationapi.VerbAll)}, - }, - }, false) - if err != nil { - t.Fatalf("unexpected error: %v", err) - } - - realizedRole := realizedRoleObj.(*authorizationapi.Role) - - role := &authorizationapi.Role{ - ObjectMeta: realizedRole.ObjectMeta, - Rules: []authorizationapi.PolicyRule{ - {Verbs: sets.NewString(authorizationapi.VerbAll)}, - }, - } - - obj, created, err := storage.Update(ctx, role.Name, rest.DefaultUpdatedObjectInfo(role, kapi.Scheme)) - if err != nil || created { - t.Errorf("Unexpected error %v", err) - } - - switch o := obj.(type) { - case *metav1.Status: - t.Errorf("Unexpected operation error: %v", obj) - - case *authorizationapi.Role: - if realizedRole.ResourceVersion != o.ResourceVersion { - t.Errorf("Expected no change to role binding. Expected: %s, Got: %s", realizedRole.ResourceVersion, o.ResourceVersion) - } - if !reflect.DeepEqual(role, obj) { - t.Errorf("Updated role does not match input role. %s", diff.ObjectReflectDiff(role, obj)) - } - default: - t.Errorf("Unexpected result type: %v", obj) - } -} - -func TestUpdateError(t *testing.T) { - storage := makeLocalTestStorage() - - role := &authorizationapi.Role{ - ObjectMeta: metav1.ObjectMeta{Name: "my-role"}, - } - - ctx := apirequest.WithNamespace(apirequest.NewContext(), "unittest") - _, _, err := storage.Update(ctx, role.Name, rest.DefaultUpdatedObjectInfo(role, kapi.Scheme)) - if err == nil { - t.Errorf("Missing expected error") - return - } - if !kapierrors.IsNotFound(err) { - t.Errorf("Unexpected error %v", err) - } -} - -func TestDeleteError(t *testing.T) { - storage := makeLocalTestStorage() - - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - _, _, err := storage.Delete(ctx, "foo", nil) - - if err == nil { - t.Errorf("expected error") - } - if !kapierrors.IsNotFound(err) { - t.Errorf("unexpected error: %v", err) - } -} - -func TestDeleteValid(t *testing.T) { - storage := makeLocalTestStorage() - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - storage.Create(ctx, &authorizationapi.Role{ - ObjectMeta: metav1.ObjectMeta{Name: "my-role"}, - }, false) - - obj, _, err := storage.Delete(ctx, "my-role", nil) - if err != nil { - t.Fatalf("unexpected error: %v", err) - } - - switch r := obj.(type) { - case *metav1.Status: - if r.Status != "Success" { - t.Fatalf("Got back non-success status: %#v", r) - } - default: - t.Fatalf("Got back non-status result: %v", r) - } -} diff --git a/pkg/cmd/server/admin/legacyetcd/role/registry.go b/pkg/cmd/server/admin/legacyetcd/role/registry.go deleted file mode 100644 index 166fd857a2d9..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/role/registry.go +++ /dev/null @@ -1,21 +0,0 @@ -package role - -import ( - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" -) - -// Storage is an interface for a standard REST Storage backend -type Storage interface { - rest.Getter - rest.Lister - rest.CreaterUpdater - rest.GracefulDeleter - - // CreateRoleWithEscalation creates a new policyRole. Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound. - CreateRoleWithEscalation(ctx apirequest.Context, policyRole *authorizationapi.Role) (*authorizationapi.Role, error) - // UpdateRoleWithEscalation updates a policyRole. Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound. - UpdateRoleWithEscalation(ctx apirequest.Context, policyRole *authorizationapi.Role) (*authorizationapi.Role, bool, error) -} diff --git a/pkg/cmd/server/admin/legacyetcd/role/strategy.go b/pkg/cmd/server/admin/legacyetcd/role/strategy.go deleted file mode 100644 index 38be1623fc9d..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/role/strategy.go +++ /dev/null @@ -1,94 +0,0 @@ -package role - -import ( - "fmt" - - "k8s.io/apimachinery/pkg/fields" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/validation/field" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - kstorage "k8s.io/apiserver/pkg/storage" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/authorization/apis/authorization/validation" -) - -// strategy implements behavior for nodes -type strategy struct { - namespaced bool - runtime.ObjectTyper -} - -// Strategy is the default logic that applies when creating and updating Role objects. -var ClusterStrategy = strategy{false, kapi.Scheme} -var LocalStrategy = strategy{true, kapi.Scheme} - -// NamespaceScoped is false for policies. -func (s strategy) NamespaceScoped() bool { - return s.namespaced -} - -// AllowCreateOnUpdate is false for policies. -func (s strategy) AllowCreateOnUpdate() bool { - return false -} - -func (strategy) AllowUnconditionalUpdate() bool { - return true -} - -func (s strategy) GenerateName(base string) string { - return base -} - -// PrepareForCreate clears fields that are not allowed to be set by end users on creation. -func (s strategy) PrepareForCreate(ctx apirequest.Context, obj runtime.Object) { - _ = obj.(*authorizationapi.Role) -} - -// PrepareForUpdate clears fields that are not allowed to be set by end users on update. -func (s strategy) PrepareForUpdate(ctx apirequest.Context, obj, old runtime.Object) { - _ = obj.(*authorizationapi.Role) -} - -// Canonicalize normalizes the object after validation. -func (strategy) Canonicalize(obj runtime.Object) { -} - -// Validate validates a new role. -func (s strategy) Validate(ctx apirequest.Context, obj runtime.Object) field.ErrorList { - return validation.ValidateRole(obj.(*authorizationapi.Role), s.namespaced) -} - -// ValidateUpdate is the default update validation for an end user. -func (s strategy) ValidateUpdate(ctx apirequest.Context, obj, old runtime.Object) field.ErrorList { - return validation.ValidateRoleUpdate(obj.(*authorizationapi.Role), old.(*authorizationapi.Role), s.namespaced, nil) -} - -func GetAttrs(obj runtime.Object) (labels.Set, fields.Set, bool, error) { - role, ok := obj.(*authorizationapi.Role) - if !ok { - return nil, nil, false, fmt.Errorf("not a role") - } - return labels.Set(role.ObjectMeta.Labels), RoleToSelectableFields(role), role.Initializers != nil, nil -} - -// Matcher returns a generic matcher for a given label and field selector. -func Matcher(label labels.Selector, field fields.Selector) kstorage.SelectionPredicate { - return kstorage.SelectionPredicate{ - Label: label, - Field: field, - GetAttrs: GetAttrs, - } -} - -// RoleToSelectableFields returns a label set that represents the object -// changes to the returned keys require registering conversions for existing versions using Scheme.AddFieldLabelConversionFunc -func RoleToSelectableFields(role *authorizationapi.Role) fields.Set { - return fields.Set{ - "metadata.name": role.Name, - "metadata.namespace": role.Namespace, - } -} diff --git a/pkg/cmd/server/admin/legacyetcd/rolebinding/policybased/virtual_storage.go b/pkg/cmd/server/admin/legacyetcd/rolebinding/policybased/virtual_storage.go deleted file mode 100644 index 61770a25c503..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/rolebinding/policybased/virtual_storage.go +++ /dev/null @@ -1,354 +0,0 @@ -package policybased - -import ( - "errors" - "fmt" - "sort" - - kapierrors "k8s.io/apimachinery/pkg/api/errors" - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/generic/registry" - "k8s.io/apiserver/pkg/registry/rest" - "k8s.io/client-go/util/retry" - kapi "k8s.io/kubernetes/pkg/api" - kapihelper "k8s.io/kubernetes/pkg/api/helper" - - oapi "github.com/openshift/origin/pkg/api" - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - authorizationinterfaces "github.com/openshift/origin/pkg/authorization/interfaces" - "github.com/openshift/origin/pkg/authorization/rulevalidation" - policybindingregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policybinding" - rolebindingregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/rolebinding" -) - -type VirtualStorage struct { - BindingRegistry policybindingregistry.Registry - - RuleResolver rulevalidation.AuthorizationRuleResolver - CachedRuleResolver rulevalidation.AuthorizationRuleResolver - - CreateStrategy rest.RESTCreateStrategy - UpdateStrategy rest.RESTUpdateStrategy - Resource schema.GroupResource -} - -// NewVirtualStorage creates a new REST for policies. -func NewVirtualStorage(policyBindingRegistry policybindingregistry.Registry, liveRuleResolver, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) rolebindingregistry.Storage { - return &VirtualStorage{ - BindingRegistry: policyBindingRegistry, - - RuleResolver: liveRuleResolver, - CachedRuleResolver: cachedRuleResolver, - - CreateStrategy: rolebindingregistry.LocalStrategy, - UpdateStrategy: rolebindingregistry.LocalStrategy, - Resource: authorizationapi.Resource("rolebinding"), - } -} - -func (m *VirtualStorage) New() runtime.Object { - return &authorizationapi.RoleBinding{} -} -func (m *VirtualStorage) NewList() runtime.Object { - return &authorizationapi.RoleBindingList{} -} - -func (m *VirtualStorage) List(ctx apirequest.Context, options *metainternal.ListOptions) (runtime.Object, error) { - policyBindingList, err := m.BindingRegistry.ListPolicyBindings(ctx, &metainternal.ListOptions{}) - if err != nil { - return nil, err - } - - matcher := rolebindingregistry.Matcher(oapi.InternalListOptionsToSelectors(options)) - - roleBindingList := &authorizationapi.RoleBindingList{} - for _, policyBinding := range policyBindingList.Items { - for _, roleBinding := range policyBinding.RoleBindings { - if matches, err := matcher.Matches(roleBinding); err == nil && matches { - roleBindingList.Items = append(roleBindingList.Items, *roleBinding) - } - } - } - - sort.Sort(byName(roleBindingList.Items)) - return roleBindingList, nil -} - -func (m *VirtualStorage) Get(ctx apirequest.Context, name string, options *metav1.GetOptions) (runtime.Object, error) { - policyBinding, err := m.getPolicyBindingOwningRoleBinding(ctx, name) - if kapierrors.IsNotFound(err) { - return nil, kapierrors.NewNotFound(m.Resource, name) - } - if err != nil { - return nil, err - } - - binding, exists := policyBinding.RoleBindings[name] - if !exists { - return nil, kapierrors.NewNotFound(m.Resource, name) - } - return binding, nil -} - -func (m *VirtualStorage) Delete(ctx apirequest.Context, name string, options *metav1.DeleteOptions) (runtime.Object, bool, error) { - if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { - owningPolicyBinding, err := m.getPolicyBindingOwningRoleBinding(ctx, name) - if kapierrors.IsNotFound(err) { - return kapierrors.NewNotFound(m.Resource, name) - } - if err != nil { - return err - } - - if _, exists := owningPolicyBinding.RoleBindings[name]; !exists { - return kapierrors.NewNotFound(m.Resource, name) - } - - delete(owningPolicyBinding.RoleBindings, name) - owningPolicyBinding.LastModified = metav1.Now() - - return m.BindingRegistry.UpdatePolicyBinding(ctx, owningPolicyBinding) - }); err != nil { - return nil, false, err - } - - return &metav1.Status{Status: metav1.StatusSuccess}, true, nil -} - -func (m *VirtualStorage) Create(ctx apirequest.Context, obj runtime.Object, _ bool) (runtime.Object, error) { - return m.createRoleBinding(ctx, obj, rulevalidation.EscalationAllowed(ctx)) -} - -func (m *VirtualStorage) CreateRoleBindingWithEscalation(ctx apirequest.Context, obj *authorizationapi.RoleBinding) (*authorizationapi.RoleBinding, error) { - return m.createRoleBinding(ctx, obj, true) -} - -func (m *VirtualStorage) createRoleBinding(ctx apirequest.Context, obj runtime.Object, allowEscalation bool) (*authorizationapi.RoleBinding, error) { - // Copy object before passing to BeforeCreate, since it mutates - objCopy, err := kapi.Scheme.DeepCopy(obj) - if err != nil { - return nil, err - } - obj = objCopy.(runtime.Object) - - if err := rest.BeforeCreate(m.CreateStrategy, ctx, obj); err != nil { - return nil, err - } - - roleBinding := obj.(*authorizationapi.RoleBinding) - - if !allowEscalation { - if err := m.confirmNoEscalation(ctx, roleBinding); err != nil { - return nil, err - } - } - - // get or auto create policy binding so we can deprecate policy and policy binding objects in 3.6 - // thus normal users can always create a role binding referring to a role in the current namespace - allowAutoProvision := allowEscalation || roleBinding.RoleRef.Namespace == apirequest.NamespaceValue(ctx) - - // Retry if we hit a conflict on the underlying PolicyBinding object - if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { - policyBinding, err := m.getPolicyBindingForPolicy(ctx, roleBinding.RoleRef.Namespace, allowAutoProvision) - if err != nil { - return err - } - - _, exists := policyBinding.RoleBindings[roleBinding.Name] - if exists { - return kapierrors.NewAlreadyExists(m.Resource, roleBinding.Name) - } - - roleBinding.ResourceVersion = policyBinding.ResourceVersion - policyBinding.RoleBindings[roleBinding.Name] = roleBinding - policyBinding.LastModified = metav1.Now() - - return m.BindingRegistry.UpdatePolicyBinding(ctx, policyBinding) - }); err != nil { - return nil, err - } - - return roleBinding, nil -} - -func (m *VirtualStorage) Update(ctx apirequest.Context, name string, objInfo rest.UpdatedObjectInfo) (runtime.Object, bool, error) { - return m.updateRoleBinding(ctx, name, objInfo, rulevalidation.EscalationAllowed(ctx)) -} -func (m *VirtualStorage) UpdateRoleBindingWithEscalation(ctx apirequest.Context, obj *authorizationapi.RoleBinding) (*authorizationapi.RoleBinding, bool, error) { - return m.updateRoleBinding(ctx, obj.Name, rest.DefaultUpdatedObjectInfo(obj, kapi.Scheme), true) -} - -func (m *VirtualStorage) updateRoleBinding(ctx apirequest.Context, name string, objInfo rest.UpdatedObjectInfo, allowEscalation bool) (*authorizationapi.RoleBinding, bool, error) { - var updatedRoleBinding *authorizationapi.RoleBinding - var roleBindingConflicted = false - - if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { - // Do an initial fetch - old, err := m.Get(ctx, name, &metav1.GetOptions{}) - if err != nil { - return err - } - oldRoleBinding, exists := old.(*authorizationapi.RoleBinding) - if !exists { - return kapierrors.NewBadRequest(fmt.Sprintf("old obj is not a role binding: %#v", old)) - } - - // get the updated object, so we know what namespace we're binding against - obj, err := objInfo.UpdatedObject(ctx, old) - if err != nil { - return err - } - roleBinding, ok := obj.(*authorizationapi.RoleBinding) - if !ok { - return kapierrors.NewBadRequest(fmt.Sprintf("obj is not a role binding: %#v", obj)) - } - - // now that we know which roleRef we want to go to, fetch the policyBinding we'll actually be updating, and re-get the oldRoleBinding - policyBinding, err := m.getPolicyBindingForPolicy(ctx, roleBinding.RoleRef.Namespace, allowEscalation) - if err != nil { - return err - } - oldRoleBinding, exists = policyBinding.RoleBindings[roleBinding.Name] - if !exists { - return kapierrors.NewNotFound(m.Resource, roleBinding.Name) - } - - if len(roleBinding.ResourceVersion) == 0 && m.UpdateStrategy.AllowUnconditionalUpdate() { - roleBinding.ResourceVersion = oldRoleBinding.ResourceVersion - } - - if err := rest.BeforeUpdate(m.UpdateStrategy, ctx, obj, oldRoleBinding); err != nil { - return err - } - - if !allowEscalation { - if err := m.confirmNoEscalation(ctx, roleBinding); err != nil { - return err - } - } - - // conflict detection - if roleBinding.ResourceVersion != oldRoleBinding.ResourceVersion { - // mark as a conflict err, but return an untyped error to escape the retry - roleBindingConflicted = true - return errors.New(registry.OptimisticLockErrorMsg) - } - // non-mutating change - if kapihelper.Semantic.DeepEqual(oldRoleBinding, roleBinding) { - updatedRoleBinding = roleBinding - return nil - } - - roleBinding.ResourceVersion = policyBinding.ResourceVersion - policyBinding.RoleBindings[roleBinding.Name] = roleBinding - policyBinding.LastModified = metav1.Now() - - if err := m.BindingRegistry.UpdatePolicyBinding(ctx, policyBinding); err != nil { - return err - } - updatedRoleBinding = roleBinding - return nil - }); err != nil { - if roleBindingConflicted { - // construct the typed conflict error - return nil, false, kapierrors.NewConflict(m.Resource, name, err) - } - return nil, false, err - } - return updatedRoleBinding, false, nil -} - -// roleForEscalationCheck tries to use the CachedRuleResolver if available to avoid expensive checks -func (m *VirtualStorage) roleForEscalationCheck(binding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error) { - if m.CachedRuleResolver != nil { - if role, err := m.CachedRuleResolver.GetRole(binding); err == nil { - return role, nil - } - } - return m.RuleResolver.GetRole(binding) -} - -func (m *VirtualStorage) confirmNoEscalation(ctx apirequest.Context, roleBinding *authorizationapi.RoleBinding) error { - modifyingRole, err := m.roleForEscalationCheck(authorizationinterfaces.NewLocalRoleBindingAdapter(roleBinding)) - if err != nil { - return err - } - - return rulevalidation.ConfirmNoEscalation(ctx, m.Resource, roleBinding.Name, m.RuleResolver, m.CachedRuleResolver, modifyingRole) -} - -// ensurePolicyBindingToMaster returns a PolicyBinding object that has a PolicyRef pointing to the Policy in the passed namespace. -func (m *VirtualStorage) ensurePolicyBindingToMaster(ctx apirequest.Context, policyNamespace, policyBindingName string) (*authorizationapi.PolicyBinding, error) { - policyBinding, err := m.BindingRegistry.GetPolicyBinding(ctx, policyBindingName, &metav1.GetOptions{}) - if err != nil { - if !kapierrors.IsNotFound(err) { - return nil, err - } - - // if we have no policyBinding, go ahead and make one. creating one here collapses code paths below. We only take this hit once - policyBinding = policybindingregistry.NewEmptyPolicyBinding(apirequest.NamespaceValue(ctx), policyNamespace, policyBindingName) - if err := m.BindingRegistry.CreatePolicyBinding(ctx, policyBinding); err != nil { - // Tolerate the policybinding having been created in the meantime - if !kapierrors.IsAlreadyExists(err) { - return nil, err - } - } - - policyBinding, err = m.BindingRegistry.GetPolicyBinding(ctx, policyBindingName, &metav1.GetOptions{}) - if err != nil { - return nil, err - } - } - - if policyBinding.RoleBindings == nil { - policyBinding.RoleBindings = make(map[string]*authorizationapi.RoleBinding) - } - - return policyBinding, nil -} - -// getPolicyBindingForPolicy returns a PolicyBinding that points to the specified policyNamespace. It will autocreate ONLY if policyNamespace equals the master namespace -func (m *VirtualStorage) getPolicyBindingForPolicy(ctx apirequest.Context, policyNamespace string, allowAutoProvision bool) (*authorizationapi.PolicyBinding, error) { - // we can autocreate a PolicyBinding object if the RoleBinding is for the master namespace OR if we've been explicitly told to create the policying binding. - // the latter happens during priming - if (policyNamespace == "") || allowAutoProvision { - return m.ensurePolicyBindingToMaster(ctx, policyNamespace, authorizationapi.GetPolicyBindingName(policyNamespace)) - } - - policyBinding, err := m.BindingRegistry.GetPolicyBinding(ctx, authorizationapi.GetPolicyBindingName(policyNamespace), &metav1.GetOptions{}) - if err != nil { - return nil, err - } - - if policyBinding.RoleBindings == nil { - policyBinding.RoleBindings = make(map[string]*authorizationapi.RoleBinding) - } - - return policyBinding, nil -} - -func (m *VirtualStorage) getPolicyBindingOwningRoleBinding(ctx apirequest.Context, bindingName string) (*authorizationapi.PolicyBinding, error) { - policyBindingList, err := m.BindingRegistry.ListPolicyBindings(ctx, &metainternal.ListOptions{}) - if err != nil { - return nil, err - } - - for _, policyBinding := range policyBindingList.Items { - _, exists := policyBinding.RoleBindings[bindingName] - if exists { - return &policyBinding, nil - } - } - - return nil, kapierrors.NewNotFound(m.Resource, bindingName) -} - -type byName []authorizationapi.RoleBinding - -func (r byName) Len() int { return len(r) } -func (r byName) Swap(i, j int) { r[i], r[j] = r[j], r[i] } -func (r byName) Less(i, j int) bool { return r[i].Name < r[j].Name } diff --git a/pkg/cmd/server/admin/legacyetcd/rolebinding/policybased/virtual_storage_test.go b/pkg/cmd/server/admin/legacyetcd/rolebinding/policybased/virtual_storage_test.go deleted file mode 100644 index 8d1e4f1860f2..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/rolebinding/policybased/virtual_storage_test.go +++ /dev/null @@ -1,383 +0,0 @@ -package policybased - -import ( - "errors" - "reflect" - "strings" - "testing" - - kapierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/diff" - "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/apiserver/pkg/authentication/user" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - _ "github.com/openshift/origin/pkg/authorization/apis/authorization/install" - "github.com/openshift/origin/pkg/authorization/rulevalidation" - clusterpolicybindingregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding" - rolebindingregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/rolebinding" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/test" -) - -func testNewClusterPolicies() []authorizationapi.ClusterPolicy { - return []authorizationapi.ClusterPolicy{ - { - ObjectMeta: metav1.ObjectMeta{Name: authorizationapi.PolicyName}, - Roles: map[string]*authorizationapi.ClusterRole{ - "cluster-admin": { - ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"}, - Rules: []authorizationapi.PolicyRule{{Verbs: sets.NewString("*"), Resources: sets.NewString("*")}}, - }, - "admin": { - ObjectMeta: metav1.ObjectMeta{Name: "admin"}, - Rules: []authorizationapi.PolicyRule{{Verbs: sets.NewString("*"), Resources: sets.NewString("*")}}, - }, - }, - }, - } -} - -func testNewClusterBindings() []authorizationapi.ClusterPolicyBinding { - return []authorizationapi.ClusterPolicyBinding{ - { - ObjectMeta: metav1.ObjectMeta{Name: authorizationapi.ClusterPolicyBindingName}, - RoleBindings: map[string]*authorizationapi.ClusterRoleBinding{ - "cluster-admins": { - ObjectMeta: metav1.ObjectMeta{Name: "cluster-admins"}, - RoleRef: kapi.ObjectReference{Name: "cluster-admin"}, - Subjects: []kapi.ObjectReference{{Kind: authorizationapi.SystemUserKind, Name: "system:admin"}}, - }, - }, - }, - } -} -func testNewLocalBindings() []authorizationapi.PolicyBinding { - return []authorizationapi.PolicyBinding{ - { - ObjectMeta: metav1.ObjectMeta{Name: authorizationapi.GetPolicyBindingName("unittest"), Namespace: "unittest"}, - RoleBindings: map[string]*authorizationapi.RoleBinding{}, - }, - } -} - -func makeTestStorage() rolebindingregistry.Storage { - clusterBindingRegistry := test.NewClusterPolicyBindingRegistry(testNewClusterBindings(), nil) - bindingRegistry := test.NewPolicyBindingRegistry(testNewLocalBindings(), nil) - clusterPolicyRegistry := test.NewClusterPolicyRegistry(testNewClusterPolicies(), nil) - policyRegistry := test.NewPolicyRegistry([]authorizationapi.Policy{}, nil) - - return NewVirtualStorage(bindingRegistry, rulevalidation.NewDefaultRuleResolver(policyRegistry, bindingRegistry, clusterPolicyRegistry, clusterBindingRegistry), nil) -} - -func makeClusterTestStorage() rolebindingregistry.Storage { - clusterBindingRegistry := test.NewClusterPolicyBindingRegistry(testNewClusterBindings(), nil) - clusterPolicyRegistry := test.NewClusterPolicyRegistry(testNewClusterPolicies(), nil) - bindingRegistry := clusterpolicybindingregistry.NewSimulatedRegistry(clusterBindingRegistry) - - return NewVirtualStorage(bindingRegistry, rulevalidation.NewDefaultRuleResolver(nil, nil, clusterPolicyRegistry, clusterBindingRegistry), nil) -} - -func TestCreateValidationError(t *testing.T) { - storage := makeTestStorage() - roleBinding := &authorizationapi.RoleBinding{} - - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - _, err := storage.Create(ctx, roleBinding, false) - if err == nil { - t.Errorf("Expected validation error") - } -} - -func TestCreateValidAutoCreateMasterPolicyBindings(t *testing.T) { - storage := makeTestStorage() - roleBinding := &authorizationapi.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "my-roleBinding"}, - RoleRef: kapi.ObjectReference{Name: "admin"}, - } - - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - obj, err := storage.Create(ctx, roleBinding, false) - if err != nil { - t.Errorf("unexpected error: %v", err) - } - - switch r := obj.(type) { - case *metav1.Status: - t.Errorf("Got back unexpected status: %#v", r) - case *authorizationapi.RoleBinding: - // expected case - default: - t.Errorf("Got unexpected type: %#v", r) - } -} - -func TestCreateValid(t *testing.T) { - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - - storage := makeTestStorage() - - roleBinding := &authorizationapi.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "my-roleBinding"}, - RoleRef: kapi.ObjectReference{Name: "admin"}, - } - - obj, err := storage.Create(ctx, roleBinding, false) - if err != nil { - t.Errorf("unexpected error: %v", err) - } - - switch obj.(type) { - case *metav1.Status: - t.Errorf("Got back unexpected status: %#v", obj) - case *authorizationapi.RoleBinding: - // expected case - default: - t.Errorf("Got unexpected type: %#v", obj) - } -} - -func TestUpdate(t *testing.T) { - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - - storage := makeTestStorage() - obj, err := storage.Create(ctx, &authorizationapi.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "my-roleBinding"}, - RoleRef: kapi.ObjectReference{Name: "admin"}, - }, false) - if err != nil { - t.Errorf("unexpected error: %v", err) - return - } - original := obj.(*authorizationapi.RoleBinding) - - roleBinding := &authorizationapi.RoleBinding{ - ObjectMeta: original.ObjectMeta, - RoleRef: kapi.ObjectReference{Name: "admin"}, - Subjects: []kapi.ObjectReference{{Name: "bob", Kind: "User"}}, - } - - obj, created, err := storage.Update(ctx, roleBinding.Name, rest.DefaultUpdatedObjectInfo(roleBinding, kapi.Scheme)) - if err != nil || created { - t.Errorf("Unexpected error %v", err) - } - - switch actual := obj.(type) { - case *metav1.Status: - t.Errorf("Unexpected operation error: %v", obj) - - case *authorizationapi.RoleBinding: - if original.ResourceVersion == actual.ResourceVersion { - t.Errorf("Expected change to role binding. Expected: %s, Got: %s", original.ResourceVersion, actual.ResourceVersion) - } - roleBinding.ResourceVersion = actual.ResourceVersion - if !reflect.DeepEqual(roleBinding, obj) { - t.Errorf("Updated roleBinding does not match input roleBinding. %s", diff.ObjectReflectDiff(roleBinding, obj)) - } - default: - t.Errorf("Unexpected result type: %v", obj) - } -} - -func TestUnconditionalUpdate(t *testing.T) { - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - - storage := makeTestStorage() - obj, err := storage.Create(ctx, &authorizationapi.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "my-roleBinding"}, - RoleRef: kapi.ObjectReference{Name: "admin"}, - }, false) - if err != nil { - t.Errorf("unexpected error: %v", err) - return - } - original := obj.(*authorizationapi.RoleBinding) - - roleBinding := &authorizationapi.RoleBinding{ - ObjectMeta: original.ObjectMeta, - RoleRef: kapi.ObjectReference{Name: "admin"}, - Subjects: []kapi.ObjectReference{{Name: "bob", Kind: "User"}}, - } - roleBinding.ResourceVersion = "" - - obj, created, err := storage.Update(ctx, roleBinding.Name, rest.DefaultUpdatedObjectInfo(roleBinding, kapi.Scheme)) - if err != nil || created { - t.Errorf("Unexpected error %v", err) - } - - switch actual := obj.(type) { - case *metav1.Status: - t.Errorf("Unexpected operation error: %v", obj) - - case *authorizationapi.RoleBinding: - if original.ResourceVersion == actual.ResourceVersion { - t.Errorf("Expected change to role binding. Expected: %s, Got: %s", original.ResourceVersion, actual.ResourceVersion) - } - roleBinding.ResourceVersion = actual.ResourceVersion - if !reflect.DeepEqual(roleBinding, obj) { - t.Errorf("Updated roleBinding does not match input roleBinding. %s", diff.ObjectReflectDiff(roleBinding, obj)) - } - default: - t.Errorf("Unexpected result type: %v", obj) - } -} - -func TestConflictingUpdate(t *testing.T) { - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - - storage := makeTestStorage() - obj, err := storage.Create(ctx, &authorizationapi.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "my-roleBinding"}, - RoleRef: kapi.ObjectReference{Name: "admin"}, - }, false) - if err != nil { - t.Errorf("unexpected error: %v", err) - return - } - original := obj.(*authorizationapi.RoleBinding) - - roleBinding := &authorizationapi.RoleBinding{ - ObjectMeta: original.ObjectMeta, - RoleRef: kapi.ObjectReference{Name: "admin"}, - Subjects: []kapi.ObjectReference{{Name: "bob", Kind: "User"}}, - } - roleBinding.ResourceVersion = roleBinding.ResourceVersion + "1" - - _, _, err = storage.Update(ctx, roleBinding.Name, rest.DefaultUpdatedObjectInfo(roleBinding, kapi.Scheme)) - if err == nil || !kapierrors.IsConflict(err) { - t.Errorf("Expected conflict error, got: %#v", err) - } -} - -func TestUpdateNoOp(t *testing.T) { - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - - storage := makeTestStorage() - obj, err := storage.Create(ctx, &authorizationapi.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "my-roleBinding"}, - RoleRef: kapi.ObjectReference{Name: "admin"}, - }, false) - if err != nil { - t.Errorf("unexpected error: %v", err) - return - } - original := obj.(*authorizationapi.RoleBinding) - - roleBinding := &authorizationapi.RoleBinding{ - ObjectMeta: original.ObjectMeta, - RoleRef: kapi.ObjectReference{Name: "admin"}, - } - - obj, created, err := storage.Update(ctx, roleBinding.Name, rest.DefaultUpdatedObjectInfo(roleBinding, kapi.Scheme)) - if err != nil || created { - t.Errorf("Unexpected error %v", err) - } - - switch o := obj.(type) { - case *metav1.Status: - t.Errorf("Unexpected operation error: %v", obj) - - case *authorizationapi.RoleBinding: - if original.ResourceVersion != o.ResourceVersion { - t.Errorf("Expected no change to role binding. Expected: %s, Got: %s", original.ResourceVersion, o.ResourceVersion) - } - if !reflect.DeepEqual(roleBinding, obj) { - t.Errorf("Updated roleBinding does not match input roleBinding. %s", diff.ObjectReflectDiff(roleBinding, obj)) - } - default: - t.Errorf("Unexpected result type: %v", obj) - } -} - -func TestUpdateError(t *testing.T) { - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - - storage := makeTestStorage() - obj, err := storage.Create(ctx, &authorizationapi.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "my-different"}, - RoleRef: kapi.ObjectReference{Name: "admin"}, - }, false) - if err != nil { - t.Errorf("unexpected error: %v", err) - return - } - original := obj.(*authorizationapi.RoleBinding) - - roleBinding := &authorizationapi.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "my-roleBinding", ResourceVersion: original.ResourceVersion}, - RoleRef: kapi.ObjectReference{Name: "admin"}, - } - - _, _, err = storage.Update(ctx, roleBinding.Name, rest.DefaultUpdatedObjectInfo(roleBinding, kapi.Scheme)) - if err == nil { - t.Errorf("Missing expected error") - return - } - if !kapierrors.IsNotFound(err) { - t.Errorf("Unexpected error %v", err) - } -} - -func TestUpdateCannotChangeRoleRefError(t *testing.T) { - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - - storage := makeTestStorage() - obj, err := storage.Create(ctx, &authorizationapi.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "my-different"}, - RoleRef: kapi.ObjectReference{Name: "admin"}, - }, false) - if err != nil { - t.Errorf("unexpected error: %v", err) - return - } - original := obj.(*authorizationapi.RoleBinding) - - roleBinding := &authorizationapi.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "my-different", ResourceVersion: original.ResourceVersion}, - RoleRef: kapi.ObjectReference{Name: "cluster-admin"}, - } - - _, _, err = storage.Update(ctx, roleBinding.Name, rest.DefaultUpdatedObjectInfo(roleBinding, kapi.Scheme)) - if err == nil { - t.Errorf("Missing expected error") - return - } - expectedErr := "cannot change roleRef" - if !strings.Contains(err.Error(), expectedErr) { - t.Errorf("Expected %v, got %v", expectedErr, err.Error()) - } -} - -func TestDeleteError(t *testing.T) { - bindingRegistry := &test.PolicyBindingRegistry{} - bindingRegistry.Err = errors.New("Sample Error") - - storage := NewVirtualStorage(bindingRegistry, rulevalidation.NewDefaultRuleResolver(&test.PolicyRegistry{}, bindingRegistry, &test.ClusterPolicyRegistry{}, &test.ClusterPolicyBindingRegistry{}), nil) - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), "unittest"), &user.DefaultInfo{Name: "system:admin"}) - _, _, err := storage.Delete(ctx, "foo", nil) - if err != bindingRegistry.Err { - t.Errorf("unexpected error: %v", err) - } -} - -func TestDeleteValid(t *testing.T) { - storage := makeClusterTestStorage() - - ctx := apirequest.WithUser(apirequest.WithNamespace(apirequest.NewContext(), ""), &user.DefaultInfo{Name: "system:admin"}) - obj, _, err := storage.Delete(ctx, "cluster-admins", nil) - if err != nil { - t.Fatalf("unexpected error: %v", err) - } - - switch r := obj.(type) { - case *metav1.Status: - if r.Status != "Success" { - t.Fatalf("Got back non-success status: %#v", r) - } - default: - t.Fatalf("Got back non-status result: %v", r) - } -} diff --git a/pkg/cmd/server/admin/legacyetcd/rolebinding/registry.go b/pkg/cmd/server/admin/legacyetcd/rolebinding/registry.go deleted file mode 100644 index f68376876a23..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/rolebinding/registry.go +++ /dev/null @@ -1,21 +0,0 @@ -package rolebinding - -import ( - apirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" -) - -// Storage is an interface for a standard REST Storage backend -type Storage interface { - rest.Getter - rest.Lister - rest.CreaterUpdater - rest.GracefulDeleter - - // CreateRoleBindingWithEscalation creates a new policyRoleBinding. Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound. - CreateRoleBindingWithEscalation(ctx apirequest.Context, policyRoleBinding *authorizationapi.RoleBinding) (*authorizationapi.RoleBinding, error) - // UpdateRoleBindingWithEscalation updates a policyRoleBinding. Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound. - UpdateRoleBindingWithEscalation(ctx apirequest.Context, policyRoleBinding *authorizationapi.RoleBinding) (*authorizationapi.RoleBinding, bool, error) -} diff --git a/pkg/cmd/server/admin/legacyetcd/rolebinding/strategy.go b/pkg/cmd/server/admin/legacyetcd/rolebinding/strategy.go deleted file mode 100644 index 3be6ab41530d..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/rolebinding/strategy.go +++ /dev/null @@ -1,94 +0,0 @@ -package rolebinding - -import ( - "fmt" - - "k8s.io/apimachinery/pkg/fields" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/validation/field" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - kstorage "k8s.io/apiserver/pkg/storage" - kapi "k8s.io/kubernetes/pkg/api" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - "github.com/openshift/origin/pkg/authorization/apis/authorization/validation" -) - -// strategy implements behavior for nodes -type strategy struct { - namespaced bool - - runtime.ObjectTyper -} - -var ClusterStrategy = strategy{false, kapi.Scheme} -var LocalStrategy = strategy{true, kapi.Scheme} - -// NamespaceScoped is false for rolebindings. -func (s strategy) NamespaceScoped() bool { - return s.namespaced -} - -// AllowCreateOnUpdate is false for rolebindings. -func (s strategy) AllowCreateOnUpdate() bool { - return false -} - -func (strategy) AllowUnconditionalUpdate() bool { - return true -} - -func (s strategy) GenerateName(base string) string { - return base -} - -// PrepareForCreate clears fields that are not allowed to be set by end users on creation. -func (s strategy) PrepareForCreate(ctx apirequest.Context, obj runtime.Object) { - _ = obj.(*authorizationapi.RoleBinding) -} - -// PrepareForUpdate clears fields that are not allowed to be set by end users on update. -func (s strategy) PrepareForUpdate(ctx apirequest.Context, obj, old runtime.Object) { - _ = obj.(*authorizationapi.RoleBinding) -} - -// Canonicalize normalizes the object after validation. -func (strategy) Canonicalize(obj runtime.Object) { -} - -// Validate validates a new role. -func (s strategy) Validate(ctx apirequest.Context, obj runtime.Object) field.ErrorList { - return validation.ValidateRoleBinding(obj.(*authorizationapi.RoleBinding), s.namespaced) -} - -// ValidateUpdate is the default update validation for an end user. -func (s strategy) ValidateUpdate(ctx apirequest.Context, obj, old runtime.Object) field.ErrorList { - return validation.ValidateRoleBindingUpdate(obj.(*authorizationapi.RoleBinding), old.(*authorizationapi.RoleBinding), s.namespaced) -} - -func GetAttrs(obj runtime.Object) (labels.Set, fields.Set, bool, error) { - roleBinding, ok := obj.(*authorizationapi.RoleBinding) - if !ok { - return nil, nil, false, fmt.Errorf("not a rolebinding") - } - return labels.Set(roleBinding.ObjectMeta.Labels), RoleBindingToSelectableFields(roleBinding), roleBinding.Initializers != nil, nil -} - -// Matcher returns a generic matcher for a given label and field selector. -func Matcher(label labels.Selector, field fields.Selector) kstorage.SelectionPredicate { - return kstorage.SelectionPredicate{ - Label: label, - Field: field, - GetAttrs: GetAttrs, - } -} - -// RoleBindingToSelectableFields returns a label set that represents the object -// changes to the returned keys require registering conversions for existing versions using Scheme.AddFieldLabelConversionFunc -func RoleBindingToSelectableFields(roleBinding *authorizationapi.RoleBinding) fields.Set { - return fields.Set{ - "metadata.name": roleBinding.Name, - "metadata.namespace": roleBinding.Namespace, - } -} diff --git a/pkg/cmd/server/admin/legacyetcd/test/clusterpolicy.go b/pkg/cmd/server/admin/legacyetcd/test/clusterpolicy.go deleted file mode 100644 index 7a16cd5ac676..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/test/clusterpolicy.go +++ /dev/null @@ -1,173 +0,0 @@ -package test - -import ( - "errors" - "fmt" - - kapierrors "k8s.io/apimachinery/pkg/api/errors" - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/watch" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" -) - -var resourceVersion = 1 - -type ClusterPolicyRegistry struct { - // ClusterPolicies is a of namespace->name->ClusterPolicy - clusterPolicies map[string]map[string]authorizationapi.ClusterPolicy - Err error -} - -func NewClusterPolicyRegistry(policies []authorizationapi.ClusterPolicy, err error) *ClusterPolicyRegistry { - policyMap := make(map[string]map[string]authorizationapi.ClusterPolicy) - - for _, policy := range policies { - addClusterPolicy(policyMap, policy) - } - - return &ClusterPolicyRegistry{policyMap, err} -} - -func (r *ClusterPolicyRegistry) List(label labels.Selector) ([]*authorizationapi.ClusterPolicy, error) { - list, err := r.ListClusterPolicies(apirequest.NewContext(), &metainternal.ListOptions{LabelSelector: label}) - if err != nil { - return nil, err - } - var items []*authorizationapi.ClusterPolicy - for i := range list.Items { - items = append(items, &list.Items[i]) - } - return items, nil -} - -func (r *ClusterPolicyRegistry) Get(name string) (*authorizationapi.ClusterPolicy, error) { - return r.GetClusterPolicy(apirequest.NewContext(), name, &metav1.GetOptions{}) -} - -// ListClusterPolicies obtains list of ListClusterPolicy that match a selector. -func (r *ClusterPolicyRegistry) ListClusterPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.ClusterPolicyList, error) { - if r.Err != nil { - return nil, r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - list := make([]authorizationapi.ClusterPolicy, 0) - - if namespace == metav1.NamespaceAll { - for _, curr := range r.clusterPolicies { - for _, policy := range curr { - list = append(list, policy) - } - } - - } else { - if namespacedClusterPolicies, ok := r.clusterPolicies[namespace]; ok { - for _, curr := range namespacedClusterPolicies { - list = append(list, curr) - } - } - } - - return &authorizationapi.ClusterPolicyList{ - Items: list, - }, - nil -} - -// GetClusterPolicy retrieves a specific policy. -func (r *ClusterPolicyRegistry) GetClusterPolicy(ctx apirequest.Context, id string, options *metav1.GetOptions) (*authorizationapi.ClusterPolicy, error) { - if r.Err != nil { - return nil, r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) != 0 { - return nil, errors.New("invalid request. Namespace parameter disallowed.") - } - - if namespacedClusterPolicies, ok := r.clusterPolicies[namespace]; ok { - if policy, ok := namespacedClusterPolicies[id]; ok { - return &policy, nil - } - } - - return nil, kapierrors.NewNotFound(authorizationapi.Resource("clusterpolicy"), id) -} - -// CreateClusterPolicy creates a new policy. -func (r *ClusterPolicyRegistry) CreateClusterPolicy(ctx apirequest.Context, policy *authorizationapi.ClusterPolicy) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) != 0 { - return errors.New("invalid request. Namespace parameter disallowed.") - } - if existing, _ := r.GetClusterPolicy(ctx, policy.Name, &metav1.GetOptions{}); existing != nil { - return kapierrors.NewAlreadyExists(authorizationapi.Resource("ClusterPolicy"), policy.Name) - } - - addClusterPolicy(r.clusterPolicies, *policy) - - return nil -} - -// UpdateClusterPolicy updates a policy. -func (r *ClusterPolicyRegistry) UpdateClusterPolicy(ctx apirequest.Context, policy *authorizationapi.ClusterPolicy) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) != 0 { - return errors.New("invalid request. Namespace parameter disallowed.") - } - if existing, _ := r.GetClusterPolicy(ctx, policy.Name, &metav1.GetOptions{}); existing == nil { - return kapierrors.NewNotFound(authorizationapi.Resource("clusterpolicy"), policy.Name) - } - - addClusterPolicy(r.clusterPolicies, *policy) - - return nil -} - -// DeleteClusterPolicy deletes a policy. -func (r *ClusterPolicyRegistry) DeleteClusterPolicy(ctx apirequest.Context, id string) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) != 0 { - return errors.New("invalid request. Namespace parameter disallowed.") - } - - namespacedClusterPolicies, ok := r.clusterPolicies[namespace] - if ok { - delete(namespacedClusterPolicies, id) - } - - return nil -} - -func (r *ClusterPolicyRegistry) WatchClusterPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) { - return nil, errors.New("unsupported action for test registry") -} - -func addClusterPolicy(policies map[string]map[string]authorizationapi.ClusterPolicy, policy authorizationapi.ClusterPolicy) { - resourceVersion += 1 - policy.ResourceVersion = fmt.Sprintf("%d", resourceVersion) - - namespacedClusterPolicies, ok := policies[policy.Namespace] - if !ok { - namespacedClusterPolicies = make(map[string]authorizationapi.ClusterPolicy) - policies[policy.Namespace] = namespacedClusterPolicies - } - - namespacedClusterPolicies[policy.Name] = policy -} diff --git a/pkg/cmd/server/admin/legacyetcd/test/clusterpolicybinding.go b/pkg/cmd/server/admin/legacyetcd/test/clusterpolicybinding.go deleted file mode 100644 index 8c8b8eda3d57..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/test/clusterpolicybinding.go +++ /dev/null @@ -1,170 +0,0 @@ -package test - -import ( - "errors" - "fmt" - - kapierrors "k8s.io/apimachinery/pkg/api/errors" - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/watch" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" -) - -type ClusterPolicyBindingRegistry struct { - // clusterPolicyBindings is a of namespace->name->ClusterPolicyBinding - clusterPolicyBindings map[string]map[string]authorizationapi.ClusterPolicyBinding - Err error -} - -func NewClusterPolicyBindingRegistry(bindings []authorizationapi.ClusterPolicyBinding, err error) *ClusterPolicyBindingRegistry { - bindingMap := make(map[string]map[string]authorizationapi.ClusterPolicyBinding) - - for _, binding := range bindings { - addClusterPolicyBinding(bindingMap, binding) - } - - return &ClusterPolicyBindingRegistry{bindingMap, err} -} - -func (r *ClusterPolicyBindingRegistry) List(label labels.Selector) ([]*authorizationapi.ClusterPolicyBinding, error) { - list, err := r.ListClusterPolicyBindings(apirequest.NewContext(), &metainternal.ListOptions{LabelSelector: label}) - if err != nil { - return nil, err - } - var items []*authorizationapi.ClusterPolicyBinding - for i := range list.Items { - items = append(items, &list.Items[i]) - } - return items, nil -} -func (r *ClusterPolicyBindingRegistry) Get(name string) (*authorizationapi.ClusterPolicyBinding, error) { - return r.GetClusterPolicyBinding(apirequest.NewContext(), name, &metav1.GetOptions{}) -} - -// ListClusterPolicyBindings obtains list of clusterPolicyBindings that match a selector. -func (r *ClusterPolicyBindingRegistry) ListClusterPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.ClusterPolicyBindingList, error) { - if r.Err != nil { - return nil, r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - list := make([]authorizationapi.ClusterPolicyBinding, 0) - - if namespace == metav1.NamespaceAll { - for _, curr := range r.clusterPolicyBindings { - for _, binding := range curr { - list = append(list, binding) - } - } - - } else { - if namespacedBindings, ok := r.clusterPolicyBindings[namespace]; ok { - for _, curr := range namespacedBindings { - list = append(list, curr) - } - } - } - - return &authorizationapi.ClusterPolicyBindingList{ - Items: list, - }, - nil -} - -// GetClusterPolicyBinding retrieves a specific policyBinding. -func (r *ClusterPolicyBindingRegistry) GetClusterPolicyBinding(ctx apirequest.Context, id string, options *metav1.GetOptions) (*authorizationapi.ClusterPolicyBinding, error) { - if r.Err != nil { - return nil, r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) != 0 { - return nil, errors.New("invalid request. Namespace parameter disallowed.") - } - - if namespacedBindings, ok := r.clusterPolicyBindings[namespace]; ok { - if binding, ok := namespacedBindings[id]; ok { - return &binding, nil - } - } - - return nil, kapierrors.NewNotFound(authorizationapi.Resource("clusterpolicybinding"), id) -} - -// CreateClusterPolicyBinding creates a new policyBinding. -func (r *ClusterPolicyBindingRegistry) CreateClusterPolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.ClusterPolicyBinding) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) != 0 { - return errors.New("invalid request. Namespace parameter disallowed.") - } - if existing, _ := r.GetClusterPolicyBinding(ctx, policyBinding.Name, &metav1.GetOptions{}); existing != nil { - return kapierrors.NewAlreadyExists(authorizationapi.Resource("clusterpolicybinding"), policyBinding.Name) - } - - addClusterPolicyBinding(r.clusterPolicyBindings, *policyBinding) - - return nil -} - -// UpdateClusterPolicyBinding updates a policyBinding. -func (r *ClusterPolicyBindingRegistry) UpdateClusterPolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.ClusterPolicyBinding) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) != 0 { - return errors.New("invalid request. Namespace parameter disallowed.") - } - if existing, _ := r.GetClusterPolicyBinding(ctx, policyBinding.Name, &metav1.GetOptions{}); existing == nil { - return kapierrors.NewNotFound(authorizationapi.Resource("clusterpolicybinding"), policyBinding.Name) - } - - addClusterPolicyBinding(r.clusterPolicyBindings, *policyBinding) - - return nil -} - -// DeleteClusterPolicyBinding deletes a policyBinding. -func (r *ClusterPolicyBindingRegistry) DeleteClusterPolicyBinding(ctx apirequest.Context, id string) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) != 0 { - return errors.New("invalid request. Namespace parameter disallowed.") - } - - namespacedBindings, ok := r.clusterPolicyBindings[namespace] - if ok { - delete(namespacedBindings, id) - } - - return nil -} - -func (r *ClusterPolicyBindingRegistry) WatchClusterPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) { - return nil, errors.New("unsupported action for test registry") -} - -func addClusterPolicyBinding(bindings map[string]map[string]authorizationapi.ClusterPolicyBinding, binding authorizationapi.ClusterPolicyBinding) { - resourceVersion += 1 - binding.ResourceVersion = fmt.Sprintf("%d", resourceVersion) - - namespacedBindings, ok := bindings[binding.Namespace] - if !ok { - namespacedBindings = make(map[string]authorizationapi.ClusterPolicyBinding) - bindings[binding.Namespace] = namespacedBindings - } - - namespacedBindings[binding.Name] = binding -} diff --git a/pkg/cmd/server/admin/legacyetcd/test/policy.go b/pkg/cmd/server/admin/legacyetcd/test/policy.go deleted file mode 100644 index 16d38fe2f98a..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/test/policy.go +++ /dev/null @@ -1,185 +0,0 @@ -package test - -import ( - "errors" - "fmt" - - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/watch" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - authorizationlister "github.com/openshift/origin/pkg/authorization/generated/listers/authorization/internalversion" - policyregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policy" -) - -type PolicyRegistry struct { - // policies is a of namespace->name->Policy - policies map[string]map[string]authorizationapi.Policy - Err error -} - -func NewPolicyRegistry(policies []authorizationapi.Policy, err error) *PolicyRegistry { - policyMap := make(map[string]map[string]authorizationapi.Policy) - - for _, policy := range policies { - addPolicy(policyMap, policy) - } - - return &PolicyRegistry{policyMap, err} -} - -func (r *PolicyRegistry) List(_ labels.Selector) ([]*authorizationapi.Policy, error) { - return nil, fmt.Errorf("unimplemented") -} - -func (r *PolicyRegistry) Policies(namespace string) authorizationlister.PolicyNamespaceLister { - return policyLister{registry: r, namespace: namespace} -} - -type policyLister struct { - registry policyregistry.Registry - namespace string -} - -func (s policyLister) List(label labels.Selector) ([]*authorizationapi.Policy, error) { - list, err := s.registry.ListPolicies(apirequest.WithNamespace(apirequest.NewContext(), s.namespace), &metainternal.ListOptions{LabelSelector: label}) - if err != nil { - return nil, err - } - var items []*authorizationapi.Policy - for i := range list.Items { - items = append(items, &list.Items[i]) - } - return items, nil -} - -func (s policyLister) Get(name string) (*authorizationapi.Policy, error) { - return s.registry.GetPolicy(apirequest.WithNamespace(apirequest.NewContext(), s.namespace), name, &metav1.GetOptions{}) -} - -// ListPolicies obtains a list of policies that match a selector. -func (r *PolicyRegistry) ListPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.PolicyList, error) { - if r.Err != nil { - return nil, r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - list := make([]authorizationapi.Policy, 0) - - if namespace == metav1.NamespaceAll { - for _, curr := range r.policies { - for _, policy := range curr { - list = append(list, policy) - } - } - - } else { - if namespacedPolicies, ok := r.policies[namespace]; ok { - for _, curr := range namespacedPolicies { - list = append(list, curr) - } - } - } - - return &authorizationapi.PolicyList{ - Items: list, - }, - nil -} - -// GetPolicy retrieves a specific policy. -func (r *PolicyRegistry) GetPolicy(ctx apirequest.Context, id string, options *metav1.GetOptions) (*authorizationapi.Policy, error) { - if r.Err != nil { - return nil, r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) == 0 { - return nil, errors.New("invalid request. Namespace parameter required.") - } - - if namespacedPolicies, ok := r.policies[namespace]; ok { - if policy, ok := namespacedPolicies[id]; ok { - return &policy, nil - } - } - - return nil, fmt.Errorf("Policy %v::%v not found", namespace, id) -} - -// CreatePolicy creates a new policy. -func (r *PolicyRegistry) CreatePolicy(ctx apirequest.Context, policy *authorizationapi.Policy) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) == 0 { - return errors.New("invalid request. Namespace parameter required.") - } - if existing, _ := r.GetPolicy(ctx, policy.Name, &metav1.GetOptions{}); existing != nil { - return fmt.Errorf("Policy %v::%v already exists", namespace, policy.Name) - } - - addPolicy(r.policies, *policy) - - return nil -} - -// UpdatePolicy updates a policy. -func (r *PolicyRegistry) UpdatePolicy(ctx apirequest.Context, policy *authorizationapi.Policy) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) == 0 { - return errors.New("invalid request. Namespace parameter required.") - } - if existing, _ := r.GetPolicy(ctx, policy.Name, &metav1.GetOptions{}); existing == nil { - return fmt.Errorf("Policy %v::%v not found", namespace, policy.Name) - } - - addPolicy(r.policies, *policy) - - return nil -} - -// DeletePolicy deletes a policy. -func (r *PolicyRegistry) DeletePolicy(ctx apirequest.Context, id string) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) == 0 { - return errors.New("invalid request. Namespace parameter required.") - } - - namespacedPolicies, ok := r.policies[namespace] - if ok { - delete(namespacedPolicies, id) - } - - return nil -} - -func (r *PolicyRegistry) WatchPolicies(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) { - return nil, errors.New("unsupported action for test registry") -} - -func addPolicy(policies map[string]map[string]authorizationapi.Policy, policy authorizationapi.Policy) { - resourceVersion += 1 - policy.ResourceVersion = fmt.Sprintf("%d", resourceVersion) - - namespacedPolicies, ok := policies[policy.Namespace] - if !ok { - namespacedPolicies = make(map[string]authorizationapi.Policy) - policies[policy.Namespace] = namespacedPolicies - } - - namespacedPolicies[policy.Name] = policy -} diff --git a/pkg/cmd/server/admin/legacyetcd/test/policybinding.go b/pkg/cmd/server/admin/legacyetcd/test/policybinding.go deleted file mode 100644 index 1f2f8c40406b..000000000000 --- a/pkg/cmd/server/admin/legacyetcd/test/policybinding.go +++ /dev/null @@ -1,186 +0,0 @@ -package test - -import ( - "errors" - "fmt" - - kapierrors "k8s.io/apimachinery/pkg/api/errors" - metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/watch" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - authorizationlister "github.com/openshift/origin/pkg/authorization/generated/listers/authorization/internalversion" - policybindingregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policybinding" -) - -type PolicyBindingRegistry struct { - // policyBindings is a of namespace->name->PolicyBinding - policyBindings map[string]map[string]authorizationapi.PolicyBinding - Err error -} - -func NewPolicyBindingRegistry(bindings []authorizationapi.PolicyBinding, err error) *PolicyBindingRegistry { - bindingMap := make(map[string]map[string]authorizationapi.PolicyBinding) - - for _, binding := range bindings { - addPolicyBinding(bindingMap, binding) - } - - return &PolicyBindingRegistry{bindingMap, err} -} - -func (r *PolicyBindingRegistry) List(_ labels.Selector) ([]*authorizationapi.PolicyBinding, error) { - return nil, fmt.Errorf("unimplemented") -} - -func (r *PolicyBindingRegistry) PolicyBindings(namespace string) authorizationlister.PolicyBindingNamespaceLister { - return policyBindingLister{registry: r, namespace: namespace} -} - -type policyBindingLister struct { - registry policybindingregistry.Registry - namespace string -} - -func (s policyBindingLister) List(label labels.Selector) ([]*authorizationapi.PolicyBinding, error) { - list, err := s.registry.ListPolicyBindings(apirequest.WithNamespace(apirequest.NewContext(), s.namespace), &metainternal.ListOptions{LabelSelector: label}) - if err != nil { - return nil, err - } - var items []*authorizationapi.PolicyBinding - for i := range list.Items { - items = append(items, &list.Items[i]) - } - return items, nil -} - -func (s policyBindingLister) Get(name string) (*authorizationapi.PolicyBinding, error) { - return s.registry.GetPolicyBinding(apirequest.WithNamespace(apirequest.NewContext(), s.namespace), name, &metav1.GetOptions{}) -} - -// ListPolicyBindings obtains a list of policyBinding that match a selector. -func (r *PolicyBindingRegistry) ListPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.PolicyBindingList, error) { - if r.Err != nil { - return nil, r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - list := make([]authorizationapi.PolicyBinding, 0) - - if namespace == metav1.NamespaceAll { - for _, curr := range r.policyBindings { - for _, binding := range curr { - list = append(list, binding) - } - } - - } else { - if namespacedBindings, ok := r.policyBindings[namespace]; ok { - for _, curr := range namespacedBindings { - list = append(list, curr) - } - } - } - - return &authorizationapi.PolicyBindingList{ - Items: list, - }, - nil -} - -// GetPolicyBinding retrieves a specific policyBinding. -func (r *PolicyBindingRegistry) GetPolicyBinding(ctx apirequest.Context, id string, options *metav1.GetOptions) (*authorizationapi.PolicyBinding, error) { - if r.Err != nil { - return nil, r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) == 0 { - return nil, errors.New("invalid request. Namespace parameter required.") - } - - if namespacedBindings, ok := r.policyBindings[namespace]; ok { - if binding, ok := namespacedBindings[id]; ok { - return &binding, nil - } - } - - return nil, kapierrors.NewNotFound(authorizationapi.Resource("policybinding"), id) -} - -// CreatePolicyBinding creates a new policyBinding. -func (r *PolicyBindingRegistry) CreatePolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.PolicyBinding) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) == 0 { - return errors.New("invalid request. Namespace parameter required.") - } - if existing, _ := r.GetPolicyBinding(ctx, policyBinding.Name, &metav1.GetOptions{}); existing != nil { - return fmt.Errorf("PolicyBinding %v::%v already exists", namespace, policyBinding.Name) - } - - addPolicyBinding(r.policyBindings, *policyBinding) - - return nil -} - -// UpdatePolicyBinding updates a policyBinding. -func (r *PolicyBindingRegistry) UpdatePolicyBinding(ctx apirequest.Context, policyBinding *authorizationapi.PolicyBinding) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) == 0 { - return errors.New("invalid request. Namespace parameter required.") - } - if existing, _ := r.GetPolicyBinding(ctx, policyBinding.Name, &metav1.GetOptions{}); existing == nil { - return kapierrors.NewNotFound(authorizationapi.Resource("policybinding"), policyBinding.Name) - } - - addPolicyBinding(r.policyBindings, *policyBinding) - - return nil -} - -// DeletePolicyBinding deletes a policyBinding. -func (r *PolicyBindingRegistry) DeletePolicyBinding(ctx apirequest.Context, id string) error { - if r.Err != nil { - return r.Err - } - - namespace := apirequest.NamespaceValue(ctx) - if len(namespace) == 0 { - return errors.New("invalid request. Namespace parameter required.") - } - - namespacedBindings, ok := r.policyBindings[namespace] - if ok { - delete(namespacedBindings, id) - } - - return nil -} - -func (r *PolicyBindingRegistry) WatchPolicyBindings(ctx apirequest.Context, options *metainternal.ListOptions) (watch.Interface, error) { - return nil, errors.New("unsupported action for test registry") -} - -func addPolicyBinding(bindings map[string]map[string]authorizationapi.PolicyBinding, binding authorizationapi.PolicyBinding) { - resourceVersion += 1 - binding.ResourceVersion = fmt.Sprintf("%d", resourceVersion) - - namespacedBindings, ok := bindings[binding.Namespace] - if !ok { - namespacedBindings = make(map[string]authorizationapi.PolicyBinding) - bindings[binding.Namespace] = namespacedBindings - } - - namespacedBindings[binding.Name] = binding -} diff --git a/pkg/cmd/server/admin/overwrite_bootstrappolicy.go b/pkg/cmd/server/admin/overwrite_bootstrappolicy.go deleted file mode 100644 index 6d8ace4aaf96..000000000000 --- a/pkg/cmd/server/admin/overwrite_bootstrappolicy.go +++ /dev/null @@ -1,333 +0,0 @@ -package admin - -import ( - "errors" - "fmt" - "io" - "reflect" - - "github.com/spf13/cobra" - - kapierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/api/meta" - "k8s.io/apimachinery/pkg/runtime" - kerrors "k8s.io/apimachinery/pkg/util/errors" - apirequest "k8s.io/apiserver/pkg/endpoints/request" - kapi "k8s.io/kubernetes/pkg/api" - kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util" - "k8s.io/kubernetes/pkg/kubectl/resource" - - authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization" - - configapilatest "github.com/openshift/origin/pkg/cmd/server/api/latest" - originrest "github.com/openshift/origin/pkg/cmd/server/origin/rest" - "github.com/openshift/origin/pkg/oc/cli/describe" - templateapi "github.com/openshift/origin/pkg/template/apis/template" - "github.com/openshift/origin/pkg/util/restoptions" - - "github.com/openshift/origin/pkg/authorization/rulevalidation" - clusterpolicyregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterpolicy" - clusterpolicyetcd "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterpolicy/etcd" - clusterpolicybindingregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding" - clusterpolicybindingetcd "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterpolicybinding/etcd" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterrole" - clusterrolestorage "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterrole/proxy" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterrolebinding" - clusterrolebindingstorage "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/clusterrolebinding/proxy" - policyregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policy" - policyetcd "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policy/etcd" - policybindingregistry "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policybinding" - policybindingetcd "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/policybinding/etcd" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/role" - rolestorage "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/role/policybased" - "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/rolebinding" - rolebindingstorage "github.com/openshift/origin/pkg/cmd/server/admin/legacyetcd/rolebinding/policybased" - "github.com/openshift/origin/pkg/cmd/util/clientcmd" -) - -const OverwriteBootstrapPolicyCommandName = "overwrite-policy" - -type OverwriteBootstrapPolicyOptions struct { - File string - MasterConfigFile string - - Force bool - Out io.Writer - CreateBootstrapPolicyCommand string -} - -func NewCommandOverwriteBootstrapPolicy(commandName string, fullName string, createBootstrapPolicyCommand string, f *clientcmd.Factory, out io.Writer) *cobra.Command { - options := &OverwriteBootstrapPolicyOptions{Out: out} - options.CreateBootstrapPolicyCommand = createBootstrapPolicyCommand - - cmd := &cobra.Command{ - Use: commandName, - Short: "Reset the policy to the default values", - Run: func(cmd *cobra.Command, args []string) { - kcmdutil.CheckErr(options.Complete(f)) - if err := options.Validate(args); err != nil { - kcmdutil.CheckErr(kcmdutil.UsageErrorf(cmd, err.Error())) - } - kcmdutil.CheckErr(options.OverwriteBootstrapPolicy()) - }, - Deprecated: fmt.Sprintf("will not work against 3.7 servers"), - } - - flags := cmd.Flags() - - flags.BoolVarP(&options.Force, "force", "f", false, "You must confirm you really want to reset your policy. This will delete any custom settings you may have.") - flags.StringVar(&options.File, "filename", "", "The policy template file containing roles and bindings. One can be created with '"+createBootstrapPolicyCommand+"'.") - flags.StringVar(&options.MasterConfigFile, "master-config", "openshift.local.config/master/master-config.yaml", "Location of the master configuration file to run from in order to connect to etcd and directly modify the policy.") - - // autocompletion hints - cmd.MarkFlagFilename("filename") - cmd.MarkFlagFilename("master-config", "yaml", "yml") - - return cmd -} - -func (o OverwriteBootstrapPolicyOptions) Validate(args []string) error { - if len(args) != 0 { - return errors.New("no arguments are supported") - } - if len(o.File) == 0 { - return errors.New("filename must be provided") - } - if len(o.MasterConfigFile) == 0 { - return errors.New("master-config must be provided") - } - - return nil -} - -func (o OverwriteBootstrapPolicyOptions) Complete(f *clientcmd.Factory) error { - kclient, err := f.ClientSet() - if err != nil { - return err - } - - return clientcmd.LegacyPolicyResourceGate(kclient.Discovery()) -} - -func (o OverwriteBootstrapPolicyOptions) OverwriteBootstrapPolicy() error { - masterConfig, err := configapilatest.ReadAndResolveMasterConfig(o.MasterConfigFile) - if err != nil { - return err - } - - // this brings in etcd server client libraries - optsGetter, err := originrest.StorageOptions(*masterConfig) - if err != nil { - return err - } - - return OverwriteBootstrapPolicy(optsGetter, o.File, o.CreateBootstrapPolicyCommand, o.Force, o.Out) -} - -type authorizationStorage struct { - Role role.Storage - RoleBinding rolebinding.Storage - ClusterRole clusterrole.Storage - ClusterRoleBinding clusterrolebinding.Storage -} - -func newLiveRuleResolver(policyRegistry policyregistry.Registry, policyBindingRegistry policybindingregistry.Registry, clusterPolicyRegistry clusterpolicyregistry.Registry, clusterBindingRegistry clusterpolicybindingregistry.Registry) rulevalidation.AuthorizationRuleResolver { - return rulevalidation.NewDefaultRuleResolver( - &policyregistry.ReadOnlyPolicyListerNamespacer{ - Registry: policyRegistry, - }, - &policybindingregistry.ReadOnlyPolicyBindingListerNamespacer{ - Registry: policyBindingRegistry, - }, - &clusterpolicyregistry.ReadOnlyClusterPolicyClientShim{ - ReadOnlyClusterPolicy: clusterpolicyregistry.ReadOnlyClusterPolicy{Registry: clusterPolicyRegistry}, - }, - &clusterpolicybindingregistry.ReadOnlyClusterPolicyBindingClientShim{ - ReadOnlyClusterPolicyBinding: clusterpolicybindingregistry.ReadOnlyClusterPolicyBinding{Registry: clusterBindingRegistry}, - }, - ) -} - -func getAuthorizationStorage(optsGetter restoptions.Getter) (*authorizationStorage, error) { - policyStorage, err := policyetcd.NewREST(optsGetter) - if err != nil { - return nil, err - } - policyBindingStorage, err := policybindingetcd.NewREST(optsGetter) - if err != nil { - return nil, err - } - clusterPolicyStorage, err := clusterpolicyetcd.NewREST(optsGetter) - if err != nil { - return nil, err - } - clusterPolicyBindingStorage, err := clusterpolicybindingetcd.NewREST(optsGetter) - if err != nil { - return nil, err - } - - policyRegistry := policyregistry.NewRegistry(policyStorage) - policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage) - clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage) - clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage) - - liveRuleResolver := newLiveRuleResolver(policyRegistry, policyBindingRegistry, clusterPolicyRegistry, clusterPolicyBindingRegistry) - - return &authorizationStorage{ - Role: rolestorage.NewVirtualStorage(policyRegistry, liveRuleResolver, nil), - RoleBinding: rolebindingstorage.NewVirtualStorage(policyBindingRegistry, liveRuleResolver, nil), - ClusterRole: clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, liveRuleResolver, nil), - ClusterRoleBinding: clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyBindingRegistry, liveRuleResolver, nil), - }, nil -} - -func OverwriteBootstrapPolicy(optsGetter restoptions.Getter, policyFile, createBootstrapPolicyCommand string, change bool, out io.Writer) error { - if !change { - fmt.Fprintf(out, "Performing a dry run of policy overwrite:\n\n") - } - - mapper := kapi.Registry.RESTMapper() - typer := kapi.Scheme - clientMapper := resource.ClientMapperFunc(func(mapping *meta.RESTMapping) (resource.RESTClient, error) { - return nil, nil - }) - - r := resource.NewBuilder(mapper, resource.SimpleCategoryExpander{}, typer, clientMapper, kapi.Codecs.UniversalDecoder()). - FilenameParam(false, &resource.FilenameOptions{Recursive: false, Filenames: []string{policyFile}}). - Flatten(). - Do() - - if r.Err() != nil { - return r.Err() - } - - authStorage, err := getAuthorizationStorage(optsGetter) - if err != nil { - return err - } - - return r.Visit(func(info *resource.Info, err error) error { - if err != nil { - return err - } - template, ok := info.Object.(*templateapi.Template) - if !ok { - return errors.New("policy must be contained in a template. One can be created with '" + createBootstrapPolicyCommand + "'.") - } - runtime.DecodeList(template.Objects, kapi.Codecs.UniversalDecoder()) - - // For each object, we attempt the following to maximize our ability to persist the desired objects, while minimizing etcd write thrashing: - // 1. Create the object (no-ops if the object already exists) - // 2. If the object already exists, attempt to update the object (no-ops if an identical object is already persisted) - // 3. If we encounter any error updating, delete and recreate - errs := []error{} - for _, item := range template.Objects { - switch t := item.(type) { - case *authorizationapi.Role: - ctx := apirequest.WithNamespace(apirequest.NewContext(), t.Namespace) - if change { - // Attempt to create - _, err := authStorage.Role.CreateRoleWithEscalation(ctx, t) - // Unconditional replace if it already exists - if kapierrors.IsAlreadyExists(err) { - _, _, err = authStorage.Role.UpdateRoleWithEscalation(ctx, t) - } - // Delete and recreate as a last resort - if err != nil { - authStorage.Role.Delete(ctx, t.Name, nil) - _, err = authStorage.Role.CreateRoleWithEscalation(ctx, t) - } - // Gather any error - if err != nil { - errs = append(errs, err) - } - } else { - fmt.Fprintf(out, "Overwrite role %s/%s\n", t.Namespace, t.Name) - if s, err := describe.DescribeRole(t); err == nil { - fmt.Fprintf(out, "%s\n", s) - } - } - case *authorizationapi.RoleBinding: - ctx := apirequest.WithNamespace(apirequest.NewContext(), t.Namespace) - if change { - // Attempt to create - _, err := authStorage.RoleBinding.CreateRoleBindingWithEscalation(ctx, t) - // Unconditional replace if it already exists - if kapierrors.IsAlreadyExists(err) { - _, _, err = authStorage.RoleBinding.UpdateRoleBindingWithEscalation(ctx, t) - } - // Delete and recreate as a last resort - if err != nil { - authStorage.RoleBinding.Delete(ctx, t.Name, nil) - _, err = authStorage.RoleBinding.CreateRoleBindingWithEscalation(ctx, t) - } - // Gather any error - if err != nil { - errs = append(errs, err) - } - } else { - fmt.Fprintf(out, "Overwrite role binding %s/%s\n", t.Namespace, t.Name) - if s, err := describe.DescribeRoleBinding(t, nil, nil); err == nil { - fmt.Fprintf(out, "%s\n", s) - } - } - - case *authorizationapi.ClusterRole: - ctx := apirequest.WithNamespace(apirequest.NewContext(), t.Namespace) - if change { - // Attempt to create - _, err := authStorage.ClusterRole.CreateClusterRoleWithEscalation(ctx, t) - // Unconditional replace if it already exists - if kapierrors.IsAlreadyExists(err) { - _, _, err = authStorage.ClusterRole.UpdateClusterRoleWithEscalation(ctx, t) - } - // Delete and recreate as a last resort - if err != nil { - authStorage.ClusterRole.Delete(ctx, t.Name, nil) - _, err = authStorage.ClusterRole.CreateClusterRoleWithEscalation(ctx, t) - } - // Gather any error - if err != nil { - errs = append(errs, err) - } - } else { - fmt.Fprintf(out, "Overwrite role %s/%s\n", t.Namespace, t.Name) - if s, err := describe.DescribeRole(authorizationapi.ToRole(t)); err == nil { - fmt.Fprintf(out, "%s\n", s) - } - } - case *authorizationapi.ClusterRoleBinding: - ctx := apirequest.WithNamespace(apirequest.NewContext(), t.Namespace) - if change { - // Attempt to create - _, err := authStorage.ClusterRoleBinding.CreateClusterRoleBindingWithEscalation(ctx, t) - // Unconditional replace if it already exists - if kapierrors.IsAlreadyExists(err) { - _, _, err = authStorage.ClusterRoleBinding.UpdateClusterRoleBindingWithEscalation(ctx, t) - } - // Delete and recreate as a last resort - if err != nil { - authStorage.ClusterRoleBinding.Delete(ctx, t.Name, nil) - _, err = authStorage.ClusterRoleBinding.CreateClusterRoleBindingWithEscalation(ctx, t) - } - // Gather any error - if err != nil { - errs = append(errs, err) - } - } else { - fmt.Fprintf(out, "Overwrite role binding %s/%s\n", t.Namespace, t.Name) - if s, err := describe.DescribeRoleBinding(authorizationapi.ToRoleBinding(t), nil, nil); err == nil { - fmt.Fprintf(out, "%s\n", s) - } - } - - default: - errs = append(errs, fmt.Errorf("only roles and rolebindings may be created in this mode, not: %v", reflect.TypeOf(t))) - } - } - if !change { - fmt.Fprintf(out, "To make the changes described above, pass --force\n") - } - return kerrors.NewAggregate(errs) - }) -} diff --git a/pkg/oc/admin/admin.go b/pkg/oc/admin/admin.go index e9dbea3facce..8d0c153e7f00 100644 --- a/pkg/oc/admin/admin.go +++ b/pkg/oc/admin/admin.go @@ -15,7 +15,7 @@ import ( cmdutil "github.com/openshift/origin/pkg/cmd/util" "github.com/openshift/origin/pkg/cmd/util/clientcmd" "github.com/openshift/origin/pkg/oc/admin/cert" - diagnostics "github.com/openshift/origin/pkg/oc/admin/diagnostics" + "github.com/openshift/origin/pkg/oc/admin/diagnostics" "github.com/openshift/origin/pkg/oc/admin/groups" "github.com/openshift/origin/pkg/oc/admin/image" "github.com/openshift/origin/pkg/oc/admin/migrate" @@ -69,7 +69,6 @@ func NewCommandAdmin(name, fullName string, in io.Reader, out io.Writer, errout policy.NewCmdPolicy(policy.PolicyRecommendedName, fullName+" "+policy.PolicyRecommendedName, f, out, errout), groups.NewCmdGroups(groups.GroupsRecommendedName, fullName+" "+groups.GroupsRecommendedName, f, out, errout), cert.NewCmdCert(cert.CertRecommendedName, fullName+" "+cert.CertRecommendedName, out, errout), - admin.NewCommandOverwriteBootstrapPolicy(admin.OverwriteBootstrapPolicyCommandName, fullName+" "+admin.OverwriteBootstrapPolicyCommandName, fullName+" "+admin.CreateBootstrapPolicyFileCommand, f, out), kubecmd.NewCmdCertificate(f, out), }, }, diff --git a/test/cmd/admin.sh b/test/cmd/admin.sh index 51a499f6e412..949ae9487b36 100755 --- a/test/cmd/admin.sh +++ b/test/cmd/admin.sh @@ -180,10 +180,6 @@ os::cmd::expect_success_and_not_text 'oc get scc/privileged -o yaml' 'fake-group echo "admin-scc: ok" os::test::junit::declare_suite_end -os::test::junit::declare_suite_start "cmd/admin/overwrite-policy" -os::cmd::expect_failure_and_text 'oc adm overwrite-policy' 'error: the server does not support legacy policy resources' -os::test::junit::declare_suite_end - os::test::junit::declare_suite_start "cmd/admin/reconcile-cluster-roles" os::cmd::expect_success 'oc delete clusterrole/cluster-status --cascade=false' os::cmd::expect_failure 'oc get clusterrole/cluster-status'